Author Archives: privacynewshighlights

16-31 July 2014


US – State Police Now Fingerprinting Every Texan

The Texas Department of Public Safety has quietly embarked on a project to take the fingerprints of every Texan old enough to drive over the next 12 years, and add them to a statewide criminal history database. Not only has the department made that momentous decision on its own, it doesn’t even have clear legal authority to do so. []

US – Facial Recognition Code Should Protect Minorities, Adolescents

In trying to establish a code of conduct on the commercial uses of facial recognition technology, there’s been much discussion about the potential harms if the technology isn’t regulated. At the National Telecommunications and Information Administration’s July 24 meeting, stakeholders called in a couple of experts to better understand who is most vulnerable. UCLA Assistant Prof. Adriana Galván testified that adolescents are particularly at risk because research indicates they are more excited by “rewards” than adults, which could be exploited by marketers using the technology to recognize age. Rutgers Prof. Jerome Williams discussed evidence of the risks minorities already face in the marketplace that could be exacerbated using technology capable of detecting race. [Source]

US – Franken Appreciates Responses, Wants More Done

Following concerns from Capitol Hill about new technology using fingerprints as passwords, Apple and Samsung sent letters to Sen. Al Franken (D-MN) claiming users’ fingerprints are not stored on their smartphones and are safe from hackers and identity theft. “We agree with you that fingerprint-scanning technology for smartphones can be convenient and beneficial for consumers but must be implemented in a way that safeguards consumer privacy,” Samsung’s vice president wrote. Franken had requested information from the companies on data protection provisions, and while the responses were “mostly good news,” the companies still haven’t taken steps to prevent criminals “from bypassing fingerprint readers with a spoofed print,” the senator said. [The Hill]

US – AG’s Office Reduces Access to Facial Recognition Database

Ohio AG Mike DeWine’s office continues to reduce the number of law enforcement officers statewide who have access to controversial facial-recognition technology. The system was rolled out last year and allows police to run pictures of unknown individuals through a database of 23 million Ohio driver’s license photos and prison mug shots to establish a match, the report states. It’s led to at least one murder arrest, state officials say. But the American Civil Liberties Union and other advocates complained about potential privacy violations. As a result, the number of individuals with access to the system has shrunk from 30,000 to 5,594, according to the AG’s office. [Associated Press]

Big Data

UK – ICO Publishes ‘Big Data’ Guidance, Stresses Fairness and Transparency

The UK Information Commissioner’s Office (ICO) has published a new report on big data and data protection (51-pages) in which it warned businesses to ensure that they process personal data fairly and in a transparent manner when undertaking big data initiatives. In some cases businesses will use new analytics capabilities to make use of existing personal data sets that they have collected. However, in other cases companies will use data collected from third parties to glean information on individuals’ behaviours and attitudes or to personalise services they offer. The ICO warned businesses of the checks they need to carry out to ensure they comply with the Data Protection Act (DPA) in those cases. The ICO said that businesses need to get “innovative” to convey concise information about the way in which they intend to use individuals’ personal data in a big data setting. The watchdog said companies need to update their privacy notices and make sure individuals are aware if they find new purposes for processing personal data when processing that information that were unforeseen when consumers were first told of the reasons for which their data was to be used. Uncertainty over how personal data may be used in future big data projects does not remove businesses’ obligations to explain possible foreseen purposes of future processing to individuals, it added. [Source] [Pinsent Masons, the law firm behind, called on the ICO to explain “what transparency and fairness looks like” in the big data era.]


CA – IAPP Thanks Ann Cavoukian for Her Service to the Profession

At the recently concluded IAPP Canada Privacy Symposium, Kris Klein, the IAPP’s managing director for Canada, took time from the keynote stage to thank Ontario Information and Privacy Commissioner Ann Cavoukian for her service to the profession. The IAPP captured the moment in a short video that is now part of our new video archive. Cavoukian now heads up Ryerson University’s Institute for Privacy and Big Data, but you can see the emotion with which she left the position she occupied for nearly two decades. [Source]

CA – Average of “Almost One Breach a Day” Reported

“The federal government has quietly logged 101 breaches of Canadians’ private information over the last four months,” citing information released by the Office of the Privacy Commissioner (OPC) indicating “his office was informed of a privacy breach an average of almost once a day since April 1.” The OPC has also weighed in on a hacking incident involving Canada’s National Research Council, stating, “We are following developments very closely due to the potential implication for personal information.” Meanwhile, New Brunswick Privacy Commissioner Ann Bertrand has recommended “ disciplinary measures and provincial charges“ for a doctor who accessed 141 patients’ medical files. [Toronto Star]

CA – Judge Agrees to Hear Telecoms’ Charter Rights Challenge

The Canadian Press reports that Ontario Justice John Sproat “has agreed to hear a Charter of Rights challenge brought by Telus and Rogers after they were asked by police in April to release cellphone information of about 40,000 to 50,000 customers as part of an investigation.” In his ruling, Sproat wrote, “The privacy rights of the tens of thousands of cell-phone users (are) of obvious importance.” Sproat’s ruling follows the Supreme Court of Canada’s June ruling affirming “Canadians have a right to online privacy under the Charter of Rights and Freedoms” and the announcements that followed from Telus and Rogers that they would require warrants “give basic customer information to police or security agencies,” the report notes. [Source] SEE ALSO: Michael Geist writes of last month’s Supreme Court decision and the actions several telecoms have taken regarding data retention following that ruling. The Toronto Star opines, “With giants Rogers and Telus on side, and Bell under pressure to follow, the message should be clear for Ottawa,” suggesting, “The writing is on the wall” for bills C-13 and S-4. Telus and Rogers Communications now require warrants for customer information after the Supreme Court decision. University of Toronto’s Christopher Parsons said if other telcos “start to take a similar position, maybe that would defray the impact of C-13, although it wouldn’t mean that C-13 was a better law.” [Telecoms move in right direction on privacy: Editorial]

CA – OACP Update Guidelines for Police Record Checks

Recently the Ontario Association of Chiefs of Police (OACP) updated their LEARN Guideline for Police Record Checks. We applaud the OACP for taking this important step, which has the potential to have a positive effect on the lives of thousands of law-abiding Ontarians. While the guidelines are voluntary, this is an important step to ensuring a proper and consistent approach to how information is disclosed when police record checks are conducted. We strongly encourage all of Ontario’s 57 police forces to adopt the OACP’s guidance on limiting the disclosure of non-conviction and non-criminal records to a limited class of exceptional circumstances. Similar to the recommendations of our recent Crossing the Line investigation into the disclosure of attempted suicide to US boarder officials through the CPIC database, the OACP recommends police forces to keep mental health police contacts confidential unless exceptional circumstances are present. The position of the IPC has long been that non-conviction and non-criminal information should only be disclosed during the course of a police records check only in exceptional circumstances, consistent with focused, objective public safety-related criteria. [Source] [The Toronto Star: Toronto Police To Keep Sharing Non-Conviction Records]

CA – Police Chiefs Call for Presumed Innocence in Background Checks

Police forces across Ontario are being told to stop disclosing unproven allegations, withdrawn charges and 911 mental health calls in background checks shared with employers, volunteer organizations and U.S. border officials. The Ontario Association of Chiefs of Police (OACP) issued the strong new recommendations this week amid an ongoing Star investigation documenting how the professional and personal lives of innocent Ontarians have been undermined by routine disclosures of non-conviction records. The voluntary guidelines call on forces that sign on to keep mental health police contacts and unproven charges confidential except under exceptional circumstances. OACP is also calling on the government of Ontario to introduce legislation that would compel all of the province’s 57 police forces to follow clear rules about what they can — and cannot — disclose. As it stands, records ranging from police surveillance notes to mental health incidents that never prompted a charge or conviction are making their way onto police background checks and the computer screens of U.S. border officials, the Star investigation has shown. The fallout includes lost jobs and educational opportunities, inability for some people to enter the U.S. and roadblocks to volunteering with agencies that serve vulnerable Ontarians. Until now, only about half the province’s police forces had signed on fully to the existing OACP guidelines, said Cormier. [Source]

CA – Class Actions Seek to Expand Law of Privacy Breaches

Two recently certified class action lawsuits could expand the scope of the fledgling Ontario tort of “intrusion upon seclusion”—the privacy tort first recognized by the Court of Appeal in 2012. The two cases—Evans v. The Bank of Nova Scotia1and Condon v. Canada2—are notable for being, respectively, the first class action to be certified in Ontario based on the tort of “intrusion upon seclusion” and the largest class action involving a digital privacy breach in Canada. Both cases seek to extend the reach of the privacy tort by claiming that institutions are liable when their actions either directly or indirectly compromise the personal information of their clients. In Evans, the Ontario Superior Court of Justice will be asked to determine whether an employer is vicariously liable for its employee’s deliberate theft of clients’ personal information. In Condon, the Federal Court will assess the government’s responsibility for allegedly reckless behaviour by its employees, leading to the loss of thousands of student loan records. Both class actions seek to push the current boundaries of the tort of intrusion upon seclusion. [Mondaq]

CA – Charities May Be Asked for Donor Lists Under CRA Proposal

Canadian charities would have to turn over lists of their donors’ identities to the Canada Revenue Agency under a proposal being floated by the Conservative government. The move is touted as a way to prevent tax-receipt fraud, but some charities are wary of the administrative burden — and the potential close surveillance of groups that criticize government policies. Revenue Minister Kerry-Lynne Findlay made the suggestion behind closed doors this spring to charities officials in Ottawa as the government seeks ways to tighten regulation of Canada’s charitable sector. Findlay asked officials of the Heart and Stroke Foundation, the Canadian Cancer Society and others for their input, as well as their reaction to a proposal to standardize the format, size and colour of official income-tax receipts for charitable donations. The consultation took place before a March 26 media event at which Findlay and Kevin Sorenson, minister of state for finance, boasted about the government’s achievements in reducing red tape for charities. The suggestion about turning over donor lists also came as some charities, subject to lengthy audits by the Canada Revenue Agency over their political activities, were feeling vulnerable and threatened by the Harper government. Findlay’s proposals apparently met with “stunned silence” initially, according to one witness, who requested anonymity. At least one charity official later spoke against them. “You can imagine why neither of these proposals would reduce red tape for charities — and why, given the current climate, there would be significant concern about the intent,” said the source. Pamela Fralick, president and CEO of the Canadian Cancer Society, was also at the closed-door meeting and said the minister was “floating ideas” rather than putting forward concrete proposals. Fralick said she would need to see more details before the society could adopt a position. There are some 86,000 registered charities in Canada, though fewer than one per cent report any political activity. [The Winnipeg free Press]

CA  Other Canadian News

The Globe and Mail reported that, as part of Bill C-24, the government can share Canadian immigration files and other data with foreign governments, and Prime Minister Stephen Harper’s cabinet can now draft regulations “providing for the disclosure of information for the purposes of national security, the defense of Canada or the conduct of international affairs” as well as for the “disclosure of information to verify the citizenship status or identity of any person” to enforce the nation’s law “or law of another country.”

CBC reported that Communications Security Establishment Canada says it cannot be sure Canadian intelligence protects information about Canadians when sharing intelligence data with the other Five Eyes partners.

CASL brought an onslaught of e-mails as senders of commercial electronic messages to Canadians attempting to verify recipients’ consent.

CA – Symantec Study Reveals 93% of People Access Data on Lost Smartphones

Symantec Canada recently ran something of a sting operation to figure out what people generally do when they come across a homeless smartphone. First, the company “lost” 60 smartphones in Vancouver, Calgary, Toronto, Ottawa, Montreal and Halifax. Then it monitored the phones to see what people did with them once they picked them up. The good news is that if you lose your phone, there’s a slightly better than 50/50 chance the person will try to return it to you. Apparently, 55% of people attempted to return the phone to its rightful owner. The bad news is that even those kind souls are pretty nosy and will take a peek at your private data before they give your phone back. According to the Symantec, 93% of people accessed the devices and half looked at private photos. A total of 63% looked at corporate email and a little more than half (52%) opened the password file. 35% accessed the bogus online banking application loaded on the lost phone. The results of the study come hot on the heels of a report from Avast! that revealed many people selling their phones on eBay don’t do enough to wipe their personal data from the device before shipping it to the buyer. The company purchased 20 second-hand cell phones from users on eBay and discovered over 40,000 photos on the phones, including 1,500 pictures of children, 750 photos of women in various stages of undress and 250 dick pics. They also discovered the identity of four previous owners, and more than 750 emails and text messages. [Source]

CA – ON Breach Being Investigated; Post-BC Breaches, Researcher Reinstated

An Ontario woman “is asking how a medical company knew details of her surgery when they tried to persuade her to change surgeons.” Ontario’s Office of the Privacy Commissioner “is looking into how the Centric Health plastic surgery clinic … got the information” about her surgery, the report states. Meanwhile, The Vancouver Sun reports the second of seven individuals who lost their jobs following privacy breaches two years ago and “a mass firing by the BC Health Ministry” has been reinstated. Drug researcher Malcolm Maclure has been rehired as a consultant on research and evidence development, the report states, quoting Maclure as saying, “I feel exonerated.” [Digital Journal] See also: [Saskatchewan: Expert calls for release of critical-incident info]


US – Americans Most Worried About Financial Data

A survey indicates 71% of Americans say they’re “petrified” someone will snoop as they access their bank accounts or other financial data. 57% say they’re worried someone will snoop on their online shopping. Social networks were the platforms that made users most worried, and email came second at 56%. Harris Interactive surveyed 2,100 Americans in June. [CNET] See also: [Businesses Beware: Millennials Could Revolt Over Data-Gathering]

US – People With Higher Job Status Prioritize Security Over Privacy

Privacy and security are two sides of the same coin and it’s sometimes very difficult to find a perfect balance of the two. In most cases, people tend to prioritized one over the other based on their personal choices or requirements. A new study published by Penn State researchers found that people in higher job positions are more likely to sacrifice privacy in the same of security. For the study, researchers analyzed how people in leadership job positions evaluated security and privacy and how impulsive or patient they were in making decisions. They found that those who were randomly placed in charge of a project tended to become more concerned with security issues. “Social status shapes how privacy and security issues are settled in the real world,” said Grossklags. “Hopefully, by calling attention to these tendencies, decision makers can rebalance their priorities on security and privacy.” [Source]

US – Businesses Beware: Millennials Could Revolt Over Data-Gathering

“Millennials care about online privacy—but only to an extent that’s convenient,” Megan Meagher writes, noting they are supplying data brokers with thousands of data points about themselves that are then turned into consumer profiles that can be detrimental to their options as customers. However, she writes, millennials take on causes quickly, and issues that were once innocuous become pressing overnight given online forums like Facebook that allow campaigns to travel at warp speed. Given that, it’s “only a matter of time before marketers are held accountable for any unpalatable practices they undertake involving the use of personal data,” Meagher writes, suggesting companies would be wise to get ahead of such a revolution. [Forbes]

US – Tech Seeks Life After Death for Accounts

There are legal challenges surrounding online accounts after their owners’ death. Estate lawyers and some tech industry representatives say changes to the Electronic Communications Privacy Act allowing for the release may simplify things. [The Hill]

US – OKCupid Experiments with User Data on Whether Love Is Blind

Despite the privacy uproar that was caused when Facebook recently disclosed it had used user data to see “if emotions were contagious,” OKCupid this week disclosed the results of three experiments it recently conducted on users, including whether users rated potential matches’ personality in correlation with their looks. OKCupid’s user agreement does state that, upon signing up to use the site, personal data may be used for research and analysis. [The New York Times]

WW – Coke and Keurig Partner for Drink Data

Emboldened by the useful data gathered from its Freestyle home soda fountains,Coca-Cola has partnered with Keurig to gather consumption data from the company’s new Keurig Cold machines. Launching next year, the machines will allow consumers to make one-off carbonated beverages, including Coke products, and will send data about what people are drinking back to the Keurig and Coke home offices. Coke is Keurig’s largest shareholder. “We’ll know exactly—with the consumer’s permission, of course—what they’re drinking and when they drink it in their home,” The Coca-Cola Company’s Deryck Van Rensburg said. “Imagine what you can do with that.” Coke used feedback from Freestyle to make the decision to bring Cherry Fanta to store shelves. [Quartz]

WW – Research: Sustainably Managing Large Numbers of Accounts / Passwords

Abstract: We explore how to manage a portfolio of pass-words. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore impor- tant attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we pro- pose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak pass- words or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for portfolio management. [Full paper]


AU – Australian Government Keeping Voting Source Code Secret

Australia’s government is refusing to share the source code for the software used in the country’s elections, claiming that “publication of the software could leave the voting system open to hacking or manipulation.” Experts point out that the source code for voting software “implements a very subtle, complex algorithm,” and needs to be open to scrutiny to find and fix problems. [SMH] See also: [B.C. government needs to fix archiving] ]


WW – Dark Mail Project Seeks to Hide Metadata from Snoops

An email privacy project called Dark Mail aims to hide users’ communications metadata, information the NSA has been collecting wholesale for years. Metadata is usually not encrypted, even when the email messages are. The project is a joint effort between Ladar Levison, who founded security email service Lavabit, and Steven Watt, who in 2011 completed a two-year in prison sentence for writing a packet sniffer for TJX data breach mastermind Albert Gonzalez. The Dark Mail project comprises an eMail client called Volcano; server software Magma Classic and Magma dark; and the Dark Mail protocol. Most email encryption services work within a closed community – users can communicate only with other people who also use the service. But Dark Mail is seeking to move beyond that model; Levison and Watt want it to work with existing email programs. [WIRED] SEE ALSO: a federal judge in New York has granted prosecutors access to a Gmail user’s e-mails as part of a criminal probe. And [Canada: CASL: Still Muddy Waters]

US – Court Says Warrant for Access to All Content of Email Account is Justified

A New York judge defended a controversial order that gave the government access to all content of the Gmail account of a target in a money laundering investigation, holding that courts have long recognized the practical need for law enforcement to seize documents if only to determine whether they fall within the warrant. The opinion, which will likely fuel the privacy debate in the country, is at odds with decisions by judges in several courts including courts in the Districts of Columbia and Kansas, Magistrate Judge Gabriel W. Gorenstein of the U.S. District Court for the Southern District of New York noted in an opinion Friday. The District of Columbia judge had refused disclosure of the contents of an entire email account because that would allow the government to actually seize large quantities of emails “for which it has not established probable cause.” The court in Kansas criticized a similar warrant as it failed to “limit the universe of electronic communications and information to be turned over to the government to the specific crimes being investigated.” The New York court, in contrast, granted on June 11 a warrant that permitted law enforcement to obtain emails and other information from a Gmail account, including the address book and draft mails, and to permit a search of the emails for certain specific categories of evidence. [Computerworld]

EU Developments

UK – Data Protection Fines Drive Up Compliance Elsewhere Across Industry

News of a data protection fine being served prompts nearly half of organisations operating in that sector to review their own data protection policies and practices (19-page / 104KB PDF), according to a survey commissioned by the ICO. Civil monetary penalties (CMPs) have a “clear impact” on how organisations served with the fines manage their own data protection responsibilities, but they also act as a “useful deterrent” to others, the ICO’s report said. Senior managers at approximately 60% of other organisations become more interested in data protection as a result of hearing about fines issued to other organisations, whilst 47% of respondents said that news of a data protection fine prompted them to introduce new data protection training for staff, it said. More than a quarter of organisations also conduct internal audits after hearing about others’ data protection fines, according to the ICO’s report. The ICO also said that it will review the guidance it has issued previously on issuing CMPs in light of the concerns raised during the research exercise about how the ‘substantial damage and distress’ test is interpreted. [Out-Law] [The ICO’s report (19-page / 104KB PDF] See also: [UK – Annual review of social media policies may not address regulatory risks, says expert]

UK – Legal Challenge Lodged Against New UK Data Retention Laws

A legal challenge is to be launched against new UK data retention laws that received parliamentary backing under a prioritised approval process earlier this month. Civil rights campaigners Liberty said it will seek a judicial review of the Data Retention and Investigatory Powers (DRIP) Act on behalf of two MPs, David Davis and Tom Watson. In a statement the MPs criticised the speed with which the DRIP Act gained parliamentary approval and questioned whether the new rules sufficiently protect individuals’ privacy rights. The DRIP Act replaces previous UK regulations on data retention that had implemented an EU law which earlier this year was ruled to be invalid by the EU’s highest court. The Court of Justice of the EU (CJEU) ruled that the EU Data Retention Directive disproportionately infringed on privacy rights enjoyed by EU citizens. Home secretary Theresa May said the speedy approval of the new rules was necessary to plug potential holes in UK intelligence gathering capabilities that could have arisen if the telecoms companies subject to the data retention requirements had stopped collecting the information in light of the CJEU’s ruling. [Out-Law] [Insights on the draft EU Data Protection Regulation from a UK Information Commissioner’s Office spokesperson who said while it is still subject to change, the draft regulation “provides a guarantee for freedom of expression”] See also: [UK – Emergency data retention law could fail same tests as the existing law]

EU – Legal Analysis Containing Personal Data Is Not Personal Data, Rules CJEU

The legal analysis used to support administrative decisions “cannot of itself” be classed as ‘personal data’ even if the analysis contains personally identifying information, the Court of Justice of the EU (CJEU) has ruled. As a result, the Court found that individuals do not have a right of access to the full legal analysis document under EU data protection laws. Under the EU’s Data Protection Directive, individuals have a general right to access the personal data stored about them by organisations. [Out-Law] [The CJEU’s judgment] SEE ALSO: Hogan Lovells Partner Eduardo Ustaran takes a look at what’s changed and the current state of play in the cookie ecosystem, noting DPAs “have realized that a large number of websites are cutting corners” and the fallout that might ensue. Checking In on the State of Cookie Consent

US – EDPS Workshop Examines Role of Privacy in Competition

The European Data Protection Supervisor (EDPS) recently hosted a workshop that determined “the world of ‘big data’ likely will require consideration of privacy in competition matters.” The workshop discussed the policy implications of big data and the digital economy in relation to data protection, competition and consumer protection. A report issued after the workshop noted, “Data protection and competition specialists do not necessarily speak the same language. Laws may currently be applied effectively to address visible large-scale abuses. But the laws seem not to cover the incremental ‘day-by-day drops into the ocean of data’ which are used to construct user profiles, where even seemingly innocuous data can reveal sensitive information.” [Hogan Lovells] See also: [EU: Privacy Officer To Head European Marketing Trade Group FEDMA]

US – Analyzing the Mutual EU-U.S. Distrust Over Privacy

The EU and U.S. have always had differing approaches to privacy and data protection, but since the Snowden revelations began making their way into the headlines, the gap and distrust has grown wider. “To help illustrate the nature of these doubts,” Berkeley Law Prof. Paul Schwartz commissioned a “mini-poll” that asked privacy attorneys in the U.S. and Germany their opinions about each region’s approach to privacy and data protection. Schwartz reveals each side’s concerns and how there “are no easy solutions to differences in EU-U.S. data protection.” “Instead,” he writes, “there are only tough discussions ahead.” Schwartz, in addition, highlights two lessons that can be learned from this analysis. [Privacy Perspectives] See also: Viviane Reding left the European Commission to become an MEP.

EU – Other News

EU ministers have undertaken efforts “to overcome ‘hurdles’ and agree on common rules for data protection laws“ at informal talks hosted by new the seat of the new EU presidency, Italy. Italian Justice Minister Andrea Orlando said, “There would be nothing worse than failing to agree on common rules.”

In the UK, the “Data Retention and Investigatory Powers Bill” was announced in the House of Commons, and BBC News reports that Prime Minister David Cameron “has secured the backing of all three main parties for the highly unusual move.” And here’s an analysis from Bird & Bird lawyer Graham Smith on “DRIP.”

The European Data Protection Supervisor said EU institutions may have to notify him when personal data processing operations “are likely to present specific risks to the rights and freedoms of data subjects.”

LexisNexis published “Company Lawyers: Independent by Design,” a whitepaper from the European Company Lawyers Association (ECLA) that includes a chapter on the role and function of the data protection officer (DPO) under the proposed European regulation, noting, the “required skill set, relationship with management and with the business and the ethical dimension of the role remain at an early stage.” ECLA is collecting feedback on the whitepaper until the end of September.

The Constitutional Court of the Republic of Slovenia “abrogated the data retention provisions of the Act on Electronic Communications,” Slovenia’s Information Commissioner’s Office reports, noting, the decision “represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.”


EU – Court Orders to Block the Pirate Bay are Ineffective

Traffic to The Pirate Bay site has doubled since 2011, even though courts in several countries have ordered Internet service providers (ISPs) to block the site and its founders have been sentenced to prison for various offenses. Nearly 10 percent of users visiting the site do so through a proxy. In a nod to the ineffectiveness of such blocks, a Dutch appeals court recently ruled that ISPs should not block The Pirate Bay at IP and DNS levels because those methods are ineffective. [Ars Technica]

US – NSA: Releasing Snowden Emails Would Violate His Privacy

The National Security Agency says it can’t release emails sent by exiled whistleblower Edward Snowden to NSA officials because doing so would invade his personal privacy. That rationale was one of several given to journalist Matthew Keys, formerly social media editor at Reuters, in response to a Freedom of Information Act request that sought emails sent from in the first five months of 2013. Keys published the NSA’s response on Thursday. The NSA’s FOIA office, which is dealing with a significant backlog, could not immediately supply a copy to U.S. News. Snowden has said repeatedly he raised concerns internally when he worked as an NSA contractor before he decided to leak documents that exposed the agency’s sweeping – and arguably illegal – surveillance programs. [Source]


WW – OECD Unveils ‘Global Standard’ to Combat Tax Fraud and Banking Secrecy

A new global standard for the automatic exchange of financial information aims to “put an end to banking secrecy” in tax matters and increase transparency, the Organisation for Economic Co-operation and Development (OECD) said. The ‘Standard for Automatic Exchange of Financial Account Information in Tax Matters’, launched by the OECD on 21 July, calls on governments to obtain detailed account information from financial institutions and share the information automatically with other jurisdictions each year. The standard, developed by the OECD at the request of the G20 group of the world’s largest advanced and emerging economies, will be formally presented to G20 finance ministers next September. OECD secretary-general Angel Gurria said the organisation’s message to the G20 “will be clear and simple… the automatic exchange of information standard is ready for implementation”. The standard provides for annual automatic exchange between governments of financial account information, including balances, interest, dividends, and sales proceeds from financial assets, reported to governments by financial institutions and covering accounts held by individuals and entities, including trusts and foundations. More than 65 countries and jurisdictions have already publicly committed to implementing the standard, while more than 40 have committed to making the first automatic information exchanges in 2017. This includes a group of OECD and non-OECD countries which have adhered to the OECD declaration on automatic exchange of information in tax matters (7-page / 1.12 MB PDF) as well as a group of ‘early adopters’. The OECD said more jurisdictions are expected to commit to implement the standard in the run up to the Global Forum Transparency and Exchange of Information for Tax Purposes hosted by the German finance ministry in Berlin next October [Out-Law]


US – Microsoft Makes Privacy Part of Its K-12 Branding

Microsoft’s is striving “to position itself as a protector of student-data privacy” and to back up such claims. The company has spent the last year supporting academic research on privacy and guides for school officials. Earlier this year, its chief technology officer said, “Students are not products … We have a long way to go across the industry … in getting everyone on board with protecting students, and to a great degree, teachers, too.” As maker of many services for schools, and with rising concern about student privacy, the company is focusing on an issue “that has surged in the consciousness of parents and school officials,” the reports states. [McClatchy News Service] See also: [NL: Access to information watchdog in court over attorney-client privilege]

US – San Francisco Announces Open Data Plan

Five months after San Francisco’s appointment of Joy Bonaguro as its first chief data officer, the city has a new open data strategic plan, aiming to improve on its data quality and expand its data-driven decision-making. The city also aims to support the “democratization of consumer data,” the report states, allowing individuals to access data the city stores about them, although confidential data containing individually identifiable information will not be among the data shared. “Given the distributed nature of individual data, we expect this to be a complex undertaking, and we will focus on background research and planning in year one,” the city’s strategic plan states. [Full Story] [San Francisco’s Chief Data Officer wants to help citizens make data-driven decisions] See also: [Canada: First Nation chiefs’ salaries due to be posted under Transparency Act]


CA – Privacy Watchdog Urges Insurers Not to Ask for Genetic Test Results

Canada’s privacy watchdog has called on the country’s health and life insurance industry not to ask applicants for access to existing genetic test results, “until such time as they can be shown to be demonstrably necessary and effective”. The Office of the Privacy Commissioner (OPC) acknowledged that “insurance industries need to collect and use personal information to assess risk”, but said “that a legitimate need does not necessarily give an organisation the authority to collect any and all personal information on the grounds that it might be useful or relevant”. OPC said its call would “effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing”. OPC said in a policy statement that it had analysed the collection and use of genetic test results in light of existing legislation relating to personal information protection. [Out-Law] See also: [DNA tests: Child’s rights override parents privacy concerns]

CA – Canada Works to Institute a National Missing Persons DNA Databank

The Conservatives’ latest budget, tabled in February, pledged up to $8.1-million over five years starting in 2016-2017 to create a DNA-based national missing persons index (MPI). Public Safety Minister Steven Blaney, the lead minister on the file, told The Globe and Mail he is committed to tabling legislation by the end of 2015. He said it’s “realistic” to foresee the government creating a national MPI and a national human remains index (HRI), both of which could be housed at the RCMP’s existing National DNA Data Bank facility in Ottawa. Mr. Blaney also said it’s within the realm of possibility to cross-reference those two indexes with two existing ones – the crime scene index (CSI) and the convicted offenders index (COI) – to search, for example, for missing people like Lindsey at known crime scenes. The measure is in draft stage, he said, and it’s too soon to know exactly how it will unfold or what the consultation process will yield, including with regard to privacy. [The Globe and Mail]


US – Google Must Face U.S. Privacy Lawsuit Over Commingled User Data

A federal judge has refused Google’s bid to dismiss a privacy lawsuit that claims Google “commingled user data across different products and disclosed that data to advertisers without permission,” Reuters reports. U.S. District Judge Paul Grewal ruled Monday that Google must face breach-of-contract and fraud claims, though parts of the suit were dismissed. Grewal had dismissed two earlier versions of the suit but wrote in his decision this time, “Like Rocky rising from Apollo’s uppercut in the 14th round, plaintiff’s complaint has sustained much damage but just manages to stand.” The suit stems from Google’s changes to its privacy policy in March 2012. Meanwhile, plaintiffs in a class-action lawsuit over Target’s data breach have protested the company’s request that discovery be delayed. [Reuters] See also: [US Supreme Court And European Union Expose Google’s Massive Privacy Liabilities]

WW – Google’s Project Zero Aims to Protect Privacy, Improve Internet Security

Google Project Zero is aiming to find software vulnerabilities and to protect Internet users’ privacy. People should “be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications,” according to Google Researcher Herder Chris Evans. [ZDNet] [CNN] [Googleonlinesecurityblogspot] See also: [Google wants to know how the human body works]

Health / Medical

EU – Data Protection Reforms Should Enable ‘One Time’ Patient Consent

New EU data protection laws should not force medical researchers to seek consent from patients each time they wish to use their data or tissue samples in a new research project, the European Society of Medical Oncologists (ESMO) has said. ESMO warned that “the survival of retrospective clinical research, biobanking, and population-based cancer registries in the EU” would be put at risk if current proposals backed by MEPs earlier this year are introduced into law. It said that the MEP’s plans “imposes, or may be interpreted as imposing, the requirement for researchers to ask for a patient’s ‘specific’ consent every single time new research is carried out on already available data and/or tissues”, and said this would “lead to the necessity of researchers continuously asking patients to ‘re-consent’ for every single use of their data.” ESMO said that it would be better if the new General Data Protection Regulation gave medical researchers the right to use patient data and tissues “forever” on the basis of a “one-time consent” to that use from patients. “This consent could be withdrawn by the patient at any time, but researchers should not be compelled to ask for ‘re-consent’ by patients whenever new research is planned on their data and/or tissues,” ESMO said in a new position paper on the risks of the proposed new EU data protection framework. [Out-Law] [The ESMO position paper on the risks of the proposed new EU data protection rules] See also: [UK – Electronic health records can help simplify drugs trials, study finds] and also: [Will Capitol Hill Relax Healthcare Regs in the Name of Innovation?]

US – Recent HIPAA Cases Indicate Confusion, Misuse of Law

A litany of recent HIPAA-related cases indicates the law is open to misinterpretation and may sometimes provide cover for the health organization involved rather than working in the patient’s best interest. For example, a security guard in Missouri recently threatened a mom taking a picture of her son in the hospital and a Florida nursing home said it couldn’t cooperate with police investigating allegations of a crime against one of its residents. “Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Manatt, Phelps & Phillips Partner Deven McGraw. [ProPublica] See also: [Tiny digital doctors to track your health] and [This amazing remote-controlled contraceptive microchip you implant under your skin is the future of medicine] and [Turkey: Our General Health Data Is On Free Trade! Who Wants To Buy?]

Horror Stories

UK – UK Travel Agency Fined for Violating Data Protection Act

The UK Information Commissioner’s Office (ICO) has fined a travel company GBP 150,000 (US $255,000) for failing to adequately protect customer data. By exploiting a coding error on the company’s website, attackers were able to steal customers’ credit card details dating back to 2006. Payment card data had never been deleted from the system and the system had never been tested. The company, Think W3 Limited, was found to have violated the Data Protection Act. [] [The Register] See also: [US – Thousands Affected After South Carolina Hospital Suffers Laptop Theft] and [AU – Company Informs Customers of Breach Three Years After the Fact]

US – Dept. of Commerce IG Report Finds “Significant” Security Issues at NOAA

According to a report from the US Department of Commerce’s office of inspector general, satellite data were stolen from a National Oceanic and Atmospheric Administration (NOAA) contractor’s personal computer last year, but there has not been an investigation because the employee refused to allow NOAA to conduct a forensic investigation on the laptop. The report also noted other “significant security deficiencies” at NOAA, including unauthorized use of smartphones and thumb drives on sensitive systems. [NextGov] [] See also: [GAO Says FDIC Cyber Security Still Needs Improvement] and also: [More Details Emerge About 2010 NASDAQ Breach] And [CA — Canada: National Research Council computers hacked]

US – EBay to Face Class-Action; Researchers Find Privacy Flaw

EBay is facing a class-action lawsuit after alerting users in May of unauthorized access to its systems. While the company says no financial data was accessed, the plaintiffs in the case allege eBay’s inadequate security led to the breach and have asked for a jury trial to settle the matter with combined claims of more than $5 million. Meanwhile, researchers from New York University have uncovered what they call a “privacy flaw” and “security breach” in eBay’s buyer feedback program allowing any individual to view the feedback. According to the research, “it is relatively easy to match the timestamp of the sale” with the seller’s feedback “and thus identify the item that was purchased.” [PCWorld] [Flaw in eBay lets your spouse know what you are buying]

US – Breach Settlements Come with High Costs

Two separate organizations are doling out funds for settlements following recent breach incidents. Equilon Enterprises LLC’s settlement of almost $2 million. The company, which recorded calls from customers contacting Shell Oil, is paying “to settle a class action alleging its actions violated California privacy laws,” the report states. Meanwhile, reports Women & Infants Hospital of Rhode Island has agreed to a $150,000 settlement of “data breach allegations that affected more than 12,000 Massachusetts patients” whose “names, dates of birth, Social Security numbers, dates of exams, physicians’ names and ultrasound images” were allegedly compromised in a 2012 breach. [] [Law 360] See also: [Data Breach Bulletin: Russian Hacker Claims To Have Infiltrated Both Wall Street Journal and Vice incl: Wall Street Journal and Vice | European Central Bank | Goodwill StubHub | Self Regional Healthcare | Women & Infants Hospital of Rhode Island] CBS Chicago reported that Illinois Attorney General Lisa Madigan called for a federal agency designed to investigate data breaches, saying, “It just makes sense that somebody has to take responsibility in this day and age for putting in place safety standards for our personal financial information…”

US – FedEx: Drug Indictment Is Result of Focus on Customer Privacy

A 15-count indictment against FedEx was handed down last week alleging the company helped “illegal online pharmacies traffic the sale of prescription drugs,” but the company says the issue comes down to privacy. The indictment claims that since at least 2004, FedEx “knowingly shipped controlled substances and prescription drugs for illegal Internet pharmacies despite warnings from the Drug Enforcement Administration, the Food and Drug Administration and Congress.” But FedEx says it will plead not guilty, arguing it is not a shipping company’s job to prevent the sale of illegal drugs. A spokesman said customer privacy is essential to the core of FedEx’s business and that privacy is now at risk. [Full Story] [FedEx: Drug Shipping Indictment a Matter of Privacy]

US – 72,500 Bank Customers’ Data Breached

Florida-based TotalBank is notifying 72,500 customers their account information was potentially compromised after an unauthorized third party accessed the bank’s computer network. Compromised information may include names, contact data, account numbers, balances and other personal identifiers—such as Social Security numbers and driver’s license number—but, according to the bank, accounts were not accessed. Krebs on Security reports on Indexeus, a search engine that compiles user account data gathered from recent data breaches. The site says it has more than “200 million entries available to our customers”—much of it gathered from “hacker forums that have been hacked, or from sites dedicated to … powerful servers that can be rented to launch denial-of-service attacks aimed at knocking websites and web users offline.” [BankInfoSecurity] See also: [NB: Privacy commissioner urges disciplinary action against doctor]

UK – Dublin Company Alerts 650,000 of Breach

A Dublin company is alerting nearly 650,000 customers that their personal information has been compromised in a hacking incident dating back to 2010. Paddy Power, which provides betting and casino games, among other services, says the data compromised included individual customer names, usernames, addresses, email addresses and more. Financial information was not compromised, however. The company has contacted the data protection commissioner and the police, advised customers to review other sites where they might use the same username and prompted security questions to change that information. The extent of the breach, a result of hackers, was uncovered with the assistance of Canada’s Ontario Provincial Police. [Irish Times]

Identity Issues

EU – New EU Rules on Cross-Border Electronic Identification Finalized

The Council of Minsters’ General Affairs Council voted to support the Regulation on e-ID and trust services at a meeting last week. The Regulation is expected to come into force shortly. The European Parliament previously gave its backing to the new rules in April. Under the new rules, EU countries would have the option of signing up to a ‘mutual recognition’ scheme for e-ID. Many member states have national e-ID schemes that are relied upon for verifying the identity of consumers when transacting or engaging with public services online. In a move designed to boost cross-border trade in the EU, the e-ID schemes used nationally would be recognised by other EU countries if the countries agree to give recognition to the national e-ID schemes operated by those other nations, under certain conditions. Only national e-ID schemes that are “interoperable” could be put forward by EU countries for participation in the mutual recognition regime. The mutual recognition scheme is not expected to be in operation until the latter half of 2018. [Out-Law] [The finalised Regulation on e-ID and trust services]

CA – Privacy Analytics Raises $3.5 Million

Khaled El Emam and his work provides de-identification solutions for the transfer of health data. Now, his software start-up Privacy Analytics has announced $3.5 million in seed financing. Investors include Bell Canada and the Ontario Institute for Cancer Research. While running a research lab associated with the Children’s Hospital of Eastern Ontario, El Emam developed software, now called Parat, that scores the potential risk of re-identifying individuals in shared data while making the health data anonymous. According to the report, Privacy Analytics looks to hire three additional employees by the end of October. [Ottawa Citizen]

WW – How to Go Semipublic in the Google Age

After a longstanding real-name policy, Google+ announced that “there are no more restrictions on what name you can use.” The policy had been criticized by journalists and privacy advocates who said pseudonyms were needed to protect users for valid reasons. Will Oremus writes about a recent article in The New York Times detailing one former college student’s struggles after being raped and how the Times decided to use her first name and face but not her last name. Oremus writes, “And then I realized: Anna and the Times aren’t trying to hide her identity from anyone who’s ever met her. They’re trying to hide it from all the people who never have. That is, they’re shielding her identity from Google.” Meanwhile, BBC News reports a website has been created to list items Google has removed due to the EU’s right-to-be-forgotten decision. [Slate] [You no longer have to use your real name on Google+.] See also: [De-Identification: A Critical Debate: Why de-identification is a key solution for sharing data responsibly] and [On Why Surprise Minimisation Is a Misguided Principle]

Intellectual Property

UK – Digital Economy Act Copyright Regime Shelved by UK Government

Work on a new online copyright enforcement regime under the Digital Economy Act (DEA) has been shelved now that rights holders and internet service providers (ISPs) have voluntarily agreed a framework for educating alleged infringers about the harm of piracy, the UK government has confirmed. [Out-Law]

US – Advocates Hope SCOTUS Ruling Catches Fire

Privacy advocates are hoping the Supreme Court’s unanimous ruling on cell phone privacy last month will have a broader impact than just that case itself-perhaps even leading to the end of the government’s post-9/11 surveillance of telephone records. After all, Chief Justice John Roberts’ cell phone opinion was an “emphatic, emphatic message from the court that digital is different,” said one law professor. The question is, how different? Will it be enough to “topple a 35-year-old court precedent that denied privacy protection to telephone records shared with third parties?” Separately, a federal judge in New York has granted prosecutors access to a Gmail user’s e-mails as part of a criminal probe. [USA Today]

Internet / WWW

US – Is the Internet of Things Getting Too Big?

US presidential policy advisers are concerned that the Internet of Things is simply too large. Companies that are making some of the items, such as refrigerators, “are not information companies, and the effect is that we are much more vulnerable,” according to Defense Policy Board and President’s Intelligence Advisory Board member Richard Danzig. A report from Danzig’s Center for a New American Security suggests that security can be improved by paring down systems to their essentials, so that they may be able to do less, but also will present fewer opportunities for security problems. [NextGov] See also: [NYT: The Next Big Thing in Hardware: Smart Garbage]

WW – Cloud Services Can Impede Forensic Investigations

As governments have moved to cloud services, they have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft report from the National Institute of Standards and Technology (NIST) describes 65 “challenges” forensic investigators encounter when dealing with cloud computing. The report classifies the challenges into nine categories, including data collection, analysis, and architecture. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten. [NextGov] [NIST Report]

WW – Hackers Find Security Flaw, Offer Enhanced Privacy Option

Nest allows users to regulate the heating and cooling in their homes, but it also might allow hackers with physical access to the device to gain access to its system. A group of researchers from the University of Central Florida found they could do so, allowing them to siphon data and install malware into the system. Acquiring that kind of sensitive data potentially reveals personal details about living habits. They’ll present their findings at Black Hat security conference in August, and they say there may be a “privacy upside.” They’ve written a program that would allow users to stop data from being sent back to Nest headquarters, for enhanced data protection. [Forbes] [Nest Hackers Will Offer Tool To Keep The Google-Owned Company From Getting Users’ Data]

WW – Microsoft Launches Online Take-Down Request Form

Microsoft has launched an online form to take requests from European residents that want to delete old or outdated search results for their names. Google launched a similar form in June after Europe’s highest court ruled it must allow for such a request. Microsoft said it plans to study how many requests it gets before moving to implement any more takedown requests. Meanwhile, a recent Microsoft survey found that 83 percent of American voters agree with a recent Supreme Court decision requiring police to get a warrant before searching someone’s cellphone. [Wall Street Journal]

WW – Samsung Rumored to Have Purchased SmartThings for $200 Million

Samsung may have reached a deal with home automation company SmartThings for approximately $200 million. The service allows its users to remotely connect and control devices in their home—including door locks and lights. The move is part of a larger play by other companies—such as Google, Amazon and Apple—to get into the Internet of Things (IoT) ecosystem and “be the first to own your home and data,” the report states, adding, “What they do with that data will depend on the player.” Additionally, Samsung has joined forces with Google and other companies to launch Thread, a new standard protocol for the IoT. [TechCrunch]

US – Ford and Intel collaborate to make cars that identify their drivers

The trend has been to outfit vehicles with cameras facing outside for the purposes of safety and convenience, but now Ford and Intel are pointing cameras inwards toward the driver for the same reasons. Dubbed Project Mobii, the collaboration was announced during a recent presentation at a Ford conference. Still in a conceptual phase, its stated purpose is to bridge connected cars with the Internet of Things, allowing them to interface more seamlessly with mobile devices for safer usage. The idea of an interior-facing camera is meant to identify who is driving via face recognition, and tailor the in-car experience based on his or her preferences. These could include seat adjustment, radio presets, contacts, navigation maps and more. The car’s internal data connection would also enable car owners to peer into the vehicle remotely using a smartphone or tablet. In recognizing a driver and front-seat passenger, the camera could sense who is reaching for the head unit’s screen and open the system up for unfettered use to the passenger, while locking out the driver. In turn, the passenger would be locked out of any personal information the driver has in the system. Under this scenario, unrecognized drivers wouldn’t be able to start the car unless the vehicle owner approves them through a mobile app. Temporary access can then be given with parameters that can limit top speed, apply a geo-fence perimeter, ban extra passengers and restrict access to the infotainment system. Refusal to abide by the rules would allow the owner to monitor the driver in real time. [The Globe and Mail]

Law Enforcement

US – Wisconsin High Court Sides With Police In Cellphone Tracking Suits

The Wisconsin Supreme Court issued twin rulings stating police had the authority to track suspects through their cell phones, in one case absent a warrant, rejecting claims that the searches violated their rights under the Fourth Amendment.

US – Wisconsin Supreme Court Allows Stingray Use in Murder Case

In a narrow decision, the Supreme Court of Wisconsin upheld a lower court decision permitting the warrantless use of devices known as stingrays, which can track cell phone locations. In this particular case, the court found that while Milwaukee police had not obtained a warrant to use the stingray to determine a murder suspect’s location, a related judicial order served the same purpose. [Ars Technica] [DocumentCloud] [Law36: Wisconsin High Court Sides With Police In Cellphone Tracking Suits]

CA – Millions of Police Requests for Canadians’ Data Every Year: Report

Government authorities have been making millions of requests to telecommunications companies for Canadians’ personal information as far back as 2006, newly released documents show. Internal documents from Public Safety Canada reveal authorities requested telecom companies to turn over “basic subscriber information” at least 1.13 million times a year between 2006 and 2008. That figure matches revelations from the federal privacy watchdog earlier this year that authorities sought subscriber information 1.2 million times in 2011. “It suggests that there have been huge numbers of requests for years now taking place largely below the radar screen . . . without very much public awareness,” said Michael Geist, a University of Ottawa law professor and Star columnist, who obtained the documents. “Basic subscriber information” can include details like name, address, Internet protocol (IP) address, telephone number, email address and local service provider identity. The federal government and law enforcement agencies have argued this amounts to “phonebook information” — police seem to generally request names and addresses — but privacy advocates warn it can lead authorities to more personal and detailed information. [The Star] See also: Opinion: Come Back With a Warrant: How Will the Canadian Government Respond to the Supreme Court’s Reshaping of Privacy Law? ]


US – Panel Approves Giving Police Emergency Access to Cellphone Locations

The House Energy and Commerce Committee has passed a bill that would allow law enforcement agencies to access cell phone users’ geolocation information in emergencies. The Kelsey Smith Act—named after a Kansas teen who was murdered in 2007—was passed Wednesday after being introduced last year by Rep. Kevin Yoder (R-KS). The bill was amended after Rep. Greg Walden (R-OR) pushed for privacy protections—including a court’s required approval to retroactively approve emergency requests for cell phone location information—to be added in the name of finding the “right balance to save lives and prevent abuse,” Walden said. [The Hill]

CA – Database maps Saskatoon, Regina violent crime sites by address

The website is a national database of “stigmatized properties.” Plug an address into its search engine and a property’s unsavoury history emerges. The categories run the gamut of human tragedy: Homicide, shooting, stabbing and murder are all covered. So are meth labs, grow ops, dismemberments and mental illness. [Source] See also: [Cat location tracking website stokes fire on privacy debate]


US – Judge Finds Data’s Controller Trumps Its Location

U.S. District Judge Loretta A. Preska ruled that U.S. law enforcement can force Microsoft to turn over emails it stores in Ireland. Preska agreed with the findings of a magistrate judge who approved a sealed search warrant in December as part of a narcotics investigation. It came down to the question of who controlled the data rather than where it was stored. The judge did, however, stay the effect of her ruling to allow for an appeal from Microsoft, the report states. Microsoft General Counsel Brad Smith said the company will “appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.” [Associated Press]

Online Privacy

EU – Update on Right to Be Forgotten

Google’s committee of experts has convened following Europe’s right-to-be-forgotten ruling. The council includes Google’s Eric Schmidt and David Drummond as well as independent experts, but “the entire strategic endeavor is of Google’s making … so should be viewed in that context,” the report states, arguing the company is “creating its own privacy debate forum to grab attention and exert pressure for regulatory reform.” Meanwhile, a report by a UK House of Lords subcommittee says the right to be forgotten “must go,” and Google, Microsoft and Yahoo must this week respond to 20 questions issued by the European Commission on how they will meet right-to-be-forgotten requirements. [TechCrunch] Meanwhile, the Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin and others are critical of Google’s right-to-be-forgotten response. Google’s decision to remove results only on EU search engines and its decision to notify media organizations when links have been removed are noted in the criticism. Italian DPA the Garante has issued a prescriptive rule to Google indicating changes Google should make to its data-handling practices in order to ensure compliance with “the applicable law and EU directive.” Rocco Panetta of NCTM Studio Legale Associato writes that, “[t]his is the first measure of this kind in Europe, and it is a result of a coordinated action with other European DPAs and follows the judgment of the European Court of Justice on the right to be forgotten.” See also: [Public Vs. Private Ain’t So Easy Anymore] [US: CDT’s O’Connor Calls on WP29 To Provide Clear Rules for RTBF Claims]

EU – Falque-Pierrotin Critical of Google RTBF Response

Criticism of Google’s implementation of the right to be forgotten from European data protection authorities (DPAs) continues in a Bloomberg report, which includes comments from Article 29 Working Party (WP29) Chairwoman Isabelle Falque-Pierrotin. “There has been a climate of controversy that’s been entertained in order to maybe endanger the right to be forgotten … It has led some people to say that the right to be forgotten leads to censorship of the press, which is not the case,” she said. Her comments come a day after regulators met with officials from Google, Microsoft and Yahoo. WP29 also released the questions it asked of the companies. Luxembourg DPA Gerard Lommel said the questions will help officials draft their guidelines and provide “food for further discussions in this matter.”

EU – DPAs Unhappy With Google’s Right-To-Be-Forgotten Implementation

European data protection authorities (DPAs) are concerned about how the so-called right-to-be-forgotten decision is being implemented by Google. Regulators plan to meet with officials from Google, Microsoft and Yahoo to discuss the implementation. One particular sticking point, according to the report, is Google’s decision to remove results only on EU search engines, meaning a quick search at would sidestep any takedown request. Olswang Partner Ashley Hurst said, “Google has claimed that the decision is restricted to localized versions of Google … There appears to be no basis for that claim at all.” Another concern for DPAs—including Ireland’s Billy Hawkes—is the decision to notify media organizations when links have been removed. [Reuters] UPDATE: [Google Says RTBF Compliance Is Difficult with User Discretion on “Accuracy”] and [Italy gives Google 18 months to change data use practices]

US – Privacy Groups Call on FTC to Investigate Facebook

The FTC should investigate Facebook’s plan to collect the browsing history of its users, representatives from the European Consumer Organization (ECO) and the Center for Digital Democracy (CDD) have said. The ECO’s Kostas Rossoglou and the CDD’s Jeffrey Chester sent the FTC a letter arguing the company is violating an agreement with the FTC, Bloomberg reports. The groups, which have joined forces and call themselves the Trans Atlantic Consumer Dialogue, said in a letter addressed to FTC Chairwoman Edith Ramirez they “are writing to express their deep alarm.” [Bloomberg] See aso: [Slate: Facebook’s Privacy Pivot] SEE ALSO: [House Committee Questions FTC Authority]

WW – Facebook to Share Demographic Data with Nielsen

Facebook will share the age and gender of Facebook users who watch TV on their cellphones or computers with TV ratings measurement company Nielsen. The aggregated data will then be combined with other data—such as education level or relationship status, for example—to find trends among viewers of particular shows. A spokesperson for Nielsen said the data is anonymized and no personally identifiable information is transmitted between the two companies. But privacy groups are wary of the partnership ; an EPIC spokeswoman said consumers aren’t aware of “the extent to which Facebook is putting their non-Facebook activity to use.” [Journal Sentinel]

WW – Schrems Launches Global Class-Action Against Facebook

Max Schrems, founder of Europe-v-Facebook and initiator of a case Irish courts recently referred to the European Court of Justice, has filed a global class-action against Facebook. Austrian law allows for a group of people to transfer their financial claims to an individual, approximating a class-action. Schrems is seeking 500 euros per Facebook user, and people can join the case by logging in with their Facebook credentials at . He alleges the harm comes from Facebook’s complicity with the U.S. government’s PRISM program. “We have this habit of pointing the finger at the United States, but we’re not enforcing our rights anyway,” Schrems told Reuters. “If we can get a class-action through like this, it will send out a huge signal to the industry overall.” [Reuters] See also: Austria’s data retention law was struck downby the Constitutional Court of Austria, saying, “it violates fundamental European privacy rights.”

WW – Cookies, Canvas Fingerprinting and Transparency

With news this week of new techniques being used to track consumers online—namely what’s being called canvas fingerprinting—Richard Beaumont writes, “The ideas behind browser and canvas fingerprinting have been around for some time now,” adding, “These techniques seem designed to get around standard browser controls that allow users to block tracking cookies relatively easily, but they also have an uncertain status with regard to the EU cookie laws.” Beaumont looks into the issue and argues why now is the time for “website owners to take responsibility themselves, in conjunction with the technology developers.” [Privacy Perspectives] [Research: The Web Never Forgets] [Canvas Fingerprinting is tracking you] [Stealthy Web tracking tools pose increasing privacy risks to users]

US – Brill Concerned About Apps Collecting Sensitive Data

App developers need to give consumers more tools and more choice over how sensitive health data is used. That’s the message FTC Julie Brill voiced at a panel discussion. “We don’t know where that information ultimately goes,” Brill said, noting that information is sometimes shared with third parties. The FTC released the results of a study on mobile health app developers in May, finding that many share data with third parties. In an interview with Reuters after the panel, Brill said “no one is talking about new regulations,” but the FTC has also made it clear that health data requires special protection. [Full Story] See also: [UK: Free Wi-Fi – but it’ll cost you your privacy] See also: AppMakers thanked the FTC for COPPA clarifications. Broadcasting & Cable reports that Morgan Reed, executive director of ACT: The App Association, said the FTC’s release “gives platforms and appmakers more guidance in areas where confusion has persisted.” And Sara Kloek, director of Moms With Apps, said the COPPA FAQ updates are “a major win for innovation and privacy.”

US – Netflix to Help You Hide Embarrassing Content From Your Activity Log

Netflix is testing a new privacy filter that helps users hide guilty pleasure content from their activity log. “At Netflix we continuously test new things. In this case, we are testing a feature in which a user watching a movie or TV show can choose to view in “Privacy Mode.” Choosing that option means the program will not appear in your viewing activity log, nor will it be used to determine recommendations about what you should watch in the future. Not everyone will see this and we may not ever offer it generally,” wrote Netflix’s new director of corporate communications, Cliff Edwards, in a recent press release. Netflix is currently testing the feature with a small group of subscribers across the streaming platform’s various territories. In order to access ‘Privacy Mode’ users have to click on a small globe icon while watching content. This activates privacy mode and doesn’t log what you’re watching in your activity feed. There’s no clear release date for the feature yet and Netflix is apparently still unsure if they’ll release Privacy Mode to all users according to Edwards. [] See also: A federal judge authorized a subpoena to Craigslist and Amazon compelling the companies to disclose the personal details of anonymous commenters. Judge Marsha Pechman said the subpoenas would be “intended to learn the John Doe defendants’ identities including names, addresses, telephone numbers, e-mail addresses, IP addresses, web hosts, credit card information, bank account information and any other identifying information.”

Other Jurisdictions

RU – Russian Government Seeking Technology to Break Tor Anonymity

The Russian government is offering a 3.9 million rubles (US $109,500) contract for a technology that can be used to identify Tor users. Tor was initially developed by the US Naval Research Laboratory and DARPA, but is now developed by The Tor Project, a non-profit organization. Tor is used by journalists and others who need to keep their identities hidden for their own safety; it is also used by criminals for the same purposes. The entrance fee for the competition is 195,000 rubles (US $5,500). A new “blogger law,” passed earlier this year and going into effect in August, requires bloggers with audiences of more than 3,000 readers “to register their identity with the government,” but the law could be tough to enforce if bloggers use Tor. [BBC] [ComputerWorld] [Ars Technica] [Hacking Citizen Lab] See also: [Tor Says U.S. Researchers May Have ID’d Users]

RU – Putin Signs Data Localization Bill

Russian President Vladimir Putin has signed a law requiring Internet companies to store all personal data of Russian citizens on servers located within the country’s borders. Officials at the Kremlin said the law seeks to improve “the management of personal data of Russian citizens on computer networks,” and businesses that do not comply will be blocked. The new law could stymy dissent within the country—often expressed and disseminated via social networks such as Facebook and Twitter. The Association of Electronic Communication—a group that lobbies on behalf of Internet companies—said “many global Internet services would be impossible” under the law. [ZDNET] USA News reports that Russia’s new laws could have widespread negative consequences, from a loss of anonymity for bloggers to possible limited Internet access for residents due to the localized server requirement.

WW – Other News

New Zealand Justice Minister Judith Collins announced “significant improvements to privacy laws to ensure stronger protections for New Zealanders’ personal information.” However, ZDNet cited a security expert who suggested the expected proposals “are imprecise and don’t go far enough.”

Japan is set to pass cybersecurity legislation, noting recent cyber-attacks on Yahoo Japan, the country’s space agency, its largest defense contractor and Bitcoin operator Mt. Gox, as well as the highly publicised breach of Sony Playstation in 2011, have all threatened the world’s third largest economy.

The Monetary Authority of Singapore has provided guidelines that “explain the extent to which financial institutions have to observe individuals’ access and correction rights whilst ensuring compliance with their duties on conducting anti-money laundering and terrorist financing checks.”

Human Rights Watch called on Tunisia to amend its draft counterterrorism law “to make it fully consistent with international human rights standards on fair trial, privacyand freedom of expression.”

Privacy (US)

US – Obama Won’t Support CISA Until Privacy Concerns Addressed

A senior Obama administration official says the Cybersecurity Information Sharing Act of 2014 (CISA), which passed the Senate Intelligence Committee earlier this month, needs to have its privacy and civil liberties protection provisions strengthened before the president will support it. “Given some issues that the privacy community has raised, we need to take that into account as we … work on the bill,” said the official. The White House hasn’t taken an official stand on CISA, which aims to help the government receive information from businesses on cyber-threats. Privacy and civil liberties advocates wrote to Obama asking that he threaten to veto the bill. [Bank Info Security] UPDATE: The Cybersecurity Information Sharing Act was passed by the Senate Intelligence Committee. Then companies and privacy groups demanded Obama reject it. Then Treasury Secretary Jack Lew called for a cybersecurity law but didn’t even mention CISA.

US – Obama to Issue Drone Privacy Executive Order

President Barack Obama plans to issue an executive order to construct privacy guidelines for the commercial use of drones operating in U.S. airspace, Politico reports. The order would put the National Telecommunications and Information Administration (NTIA) in charge of the efforts. A White House spokesman said, “We don’t have any details to share at this time, but there is an interagency process underway.” The NTIA has already developed a code of conduct for mobile apps and is currently facilitating the development of a code for the commercial use of facial recognition technology. [Politico] Meanwhile, the FAA plans to permit small drones to be used for commercial purposes after media sources, energy companies, farmers and other groups put on the pressure. An FAA spokesman said the agency is drafting rules for small drones now that will be “issued for comment late this year,” but they could take several years to finalize. Also, a New York man escalated the drone debate after allegedly illegally taking video of hospital patients with his drone and then posting it to his Facebook page. SEE ALSO: [Opinion: Why Drone Benefits Outweigh Privacy Issues]

US – Court to Hear Wyndham Appeal in FTC Case

A federal appeals court has agreed to accept hotel chain Wyndham’s petition to appeal Federal Trade Commission (FTC) vs. Wyndham Worldwide Corporation to determine whether the FTC has the authority to “bring charges against companies based on their alleged failure to protect consumers’ data.” The U.S. Chamber of Commerce, American Hotel & Lodging Association and National Federation of Independent Business filed a friend-of-the-court brief in support of the appeal, stating, “Whether the FTC’s enforcement authority … extends to regulation of data security is an issue of central importance to businesses that face the prospect of being investigated by the commission.” [MediaPost] [FTC Privacy Casebook]

US – Hartzog and Solove: How Broad Should FTC’s Regulatory Powers Be?

Profs. Woodrow Hartzog and Daniel Solove have released a paper on the scope and potential of the FTC’s data protection regulatory powers. “For more than 15 years, the FTC has regulated privacy and data security through its authority to police deceptive and unfair trade practices … Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corporation and LabMD,” write Hartzog and Solove in the paper’s abstract. “These recent cases raise a fundamental issue, and one that surprisingly has not been well explored. How broad are the FTC’s privacy and data security regulatory powers? How broad should they be?” [Source]

Privacy Enhancing Technologies (PETs)

US – NIST Workshop to Collocate with Privacy Academy

The National Institute of Standards and Technology (NIST) has announced its Second Privacy Engineering Workshop will be held September 15-16 in San Jose, CA, in conjunction with the IAPP Privacy Academy and CSA Congress, which kicks off September 17 in the same complex. The workshop will consider engineering definitions and concepts with the intent to inform the development of the NIST report on privacy engineering. Registration and agenda details will be available soon. Meanwhile, three researchers have released a new paper, “ Privacy Mindset, Technological Mindset,” which argues that “a major obstacle for (Privacy by Design) is the discursive and conceptual gap between law and technology.” [NIST Press Release] See also: [Removing the Gap Between Privacy Engineers and Lawyers] and [Privacy Literacy for the Next Generation of Privacy Leaders: Georgetown Law Center Aims To Bridge the Gap Between Technologists and Privacy Lawyers]

US – Snowden Calls for Privacy by Design; Academics Win Award

Speaking at the Hope X conference via videolink over the weekend, Edward Snowden called on developers to build privacy protections into systems by design. He said encryption is an “important first step,” but added, “It doesn’t end at encryption; it starts at encryption.” Snowden said now’s the time “to help build a better future by encoding our rights into the programs and protocols upon which we rely … every day.” He also added that he intends to work on privacy-enhancing technology as well. In a related report, a team of Princeton and University of Texas at Austin researchers have been awarded a 2014 PET Award for their paper, “A Scanner Darkly.” The paper presents a privacy-enhancing layer to “perceptual computing.” [TechCrunch] [Snowden: NSA employees share intercepted sexts] See also: [Forbes: Forget Glass. Here Are Wearables That Protect Your Privacy]

WW – OpenPDS Would Give Users Data-Sharing Choice

A new system would allow Internet users to choose which data to share with websites and mobile apps. Prototype system openPDS—short for personal data store—stores data in a single location that users specify and then any cellphone app, online service or big data team that wants to use the data must “query your data store, which returns only as much information as is required,” the report states. In addition, the data that is shared is code instead of raw data. The MIT researchers who developed the system are now testing it with telecommunications companies in Italy and Denmark. [MIT News]

WW – Personal Robot Means Privacy Concerns, But May Be More Transparent

A new personal robot will be sold commercially in 2015. Jibo has sensors and will live in users’ homes—but that means privacy concerns such as the gathering, processing and storing of information. It also means the feeling of being observed, the report states. Users will no longer type a search phrase into a field but will instead ask the robot for help in finding information. But an advantage of Jibo is that it won’t be silently collecting data on the user and sending it back for processing at some ISP homebase; instead it will provide “visceral notice” of the collection of information—”more powerful, certainly, than any privacy policy,” the report states. [Forbes]

WW—Startup Unveils Portable, Encrypted Server

In one of the latest privacy-enhancing innovations, a UK start-up has released a portable server that comes with SSL/TLS and GPG encryption and only requires a WiFi network and AC plug to operate. The Wedg can host e-mail and cloud storage, with various levels of encryption, and is not susceptible, according to the company, to government surveillance. “Many small businesses are still using Gmail as their default e-mail solution. With a hosted service solution, the potential risk of data leakage and infiltration from other influences is great, but with Wedg, everything is hosted locally,” Wedg CEO Shehbaz Afzal said. [International Business Times] [UK: Paranoid About Online Privacy? How About a Portable Cloud Email Storage Server Instead]

WW – New E-mail Encryption Service Promises Even It Won’t Have the Keys

Enlocked has announced the release of an e-mail encryption solution that employs military-grade e-mail security. Enlocked caters to small businesses and independent professionals and aims to simplify encryption technology. The service encrypts and decrypts messages on users’ computers locally with a key, and the messages can only be unlocked with the users’ secure passphrases, which even Enlocked won’t know, according to a press release. Meanwhile, in response to a recent BlackBerry blog post criticizing encrypted phone Blackphone’s approach to privacy, CEO Toby Weir-Jones has fired back. [Source]

EU – Old Technology in the Modern Age: Typewriter Sales Surge in Germany

German typewriter makers such as Bandermann and Olympia have cited climbing sales amid NSA spying revelations. Meanwhile, Olympia spokesperson Andreas Fostiropoulis told Wirtschaftswoche magazine that the company expects typewriter sales to hit a 20-year high in 2014. German defense contractor Diehl switched from computers to typewriters last year. Earlier in July, German politicians said they were considering going back to old-fashioned manual typewriters for confidential documents, in order to protect national secrets from American NSA spooks. []

US – New App Promises Privacy

Washington: Are you worried that your messages or pictures are not deleted completely after you send or receive them? Here comes a messaging app that promises to provide you the much sought after privacy by removing all your messages – texts, pictures or videos – after you send or receive them. Called Wiper, the app can delete anything sent or received. If you are having a chat and want it removed, all you have to do is select “Wipe” from within a chat. The messages – whatever they might be – are also removed from Wiper’s servers. If you make a call using Wiper, your call logs are also deleted, leaving no trace of any interactions you may have via the service, Slash Gear reported. Wiper says you can send text, videos, pictures or anything else via a closed system. This free to use app is available on both App Store and Google Play. [Source]


WW – Spear Phishing on the Rise; Old Passwords Might Not Be So Bad

A recent security report from Symantec reveals a 91% increase in spear phishing attacks from 2012 to 2013, prompting TechInsurance CEO Ted Devine to offer some prevention tips for small businesses. “A single e-mail opened by an unsuspecting employee can undo months of work,” he said. “And once a hacker gains access, the financial consequences can be significant.” Meanwhile, Ars Technica reports researchers say traditional password best practice—”long, randomly generated passwords”—is not “feasible in practice” for lower-value accounts. More broadly, however, less valuable accounts may not need complex passwords, according to the report. [Source] SEE ALSO: [Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts].

WW – Researchers Find USBs Dangerous at Their Core

While many computer users often depend on USBs to easily transport data, there are more risks to using them than just the fact that they sometimes carry malware infections. The risk is built into the core of how they work, according to security researchers Karsten Nohl and Jokob Lell, who plan to present their findings next week. The researchers created a malware called BadUSB, which can be installed on a USB device to take over a PC and invisibly alter files or redirect users’ Internet traffic. And it doesn’t live in the thumb drive’s memory; it lives in the firmware itself. [WIRED]

WW – Exploring the Risk-Based Approach in Practice

The Centre for Information Policy Leadership at Hunton & Williams recently released a whitepaper on the risk-based approach, exploring how to improve its effectiveness in practice. “The whitepaper explores the fundamental question of how the ultimate purpose of privacy laws—to protect individuals from both tangible and intangible harm—can be achieved more effectively in the modern information age.” Issues explored in the paper include the potential benefits and applications of the risk-based approach in addition to the challenges and questions that face such a paradigm. [Hunton & Williams’ Privacy and Information Security Law Blog]

WW – Google Reveals Top Security Hackers

Google is publicly revealing “Project Zero,” its team of security researchers whose mission is to track down and neutralize “the most insidious security flaws in the world’s software,” hackable bugs known as “zero-day vulnerabilities.” Such bugs can be exploited by criminals and “state-sponsored hackers” for spying. One of the team’s members is George Hotz, who cracked AT&T’s iPhone lock back in 2007 when he was 17 years old. The team is encouraged to expose any zero-day software, not just those in Google products, “with the aim of pressuring other companies to better protect Google’s users,” the report states. [WIRED] See also: [Here’s How Easy It Could Be for Hackers to Control Your Hotel Room]

Smart Cards

AU – NSW Opal Card Raises Privacy Concerns

Australia’s spy agency could get its hands on the home address and travel history of NSW commuters using the state’s Opal card, a civil liberty group warns. The pay-as-you-go card, which can be used on trains, buses and ferries across the state, has been promoted by the Baird government as a way of saving travellers time and money. But Stephen Blanks, president of the NSW Council for Civil Liberties, says the Opal card’s privacy policy allows personal information of cardholders to be forwarded to law enforcement agencies without the need for a warrant. “It’s entirely up to the internal decision making of Transport NSW to whether or not information requests (from law enforcement agencies) will be complied with,” he told AAP on Tuesday. “Typically, they’ll comply with all requests.” [] SEE ALSO: Australian AG George Brandis indicated that requiring ISPs “to retain customer data for up to two years for access by law enforcement agencies is under ‘active consideration’ by the government.” And the Australian Parliament’s House Standing Committee on Social Policy and Legal Affairs issued “Eyes in the Sky: Inquiry into drones and the regulation of air safety and privacy,” outlining “possible shortcomings of the current privacy regime,” among other things.


US – Artists, Writers to Congress: Mass Surveillance Is Censorship

A group of notable writers and artists has written an open letter to U.S. Senate leaders urging Congress to act to end mass surveillance, arguing its threat to “our most cherished democratic ideals” and “constitutional international human rights to free expression and privacy.” “Mass surveillance is censorship,” the group writes, citing an October 2013 survey of members of PEN—an international association of writers—that found one in six were refraining from writing or speaking on certain topics because of fears about NSA surveillance. “Congress must act now to protect our freedom to speak, think, write and create freely—and in private,” the authors write. [Full Story] SEE ALSO: the UN called government surveillance “almost certainly illegal.” A “damning but cautiously phrased report,” recommended that governments review national laws and policies to assess whether they are in line with international human rights law. [UN human rights report blows apart governments’ pro-surveillance arguments] Also: [Blacklisted: The Secret Government Rulebook For Labeling You a Terrorist]

US – Senator Introduces “Historic” Surveillance Reform Bill

Sen. Patrick Leahy (D-VT) introduced legislation this week that would bring extensive reforms and increased transparency to U.S. surveillance capabilities. “If enacted,” Leahy said, “this bill would represent the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago,” noting the bill has support from the White House, several privacy groups and the technology industry. Meanwhile, the New America Foundation’s Open Technology Institute has released a report outlining some of the “collateral damage” caused by the widespread knowledge of the NSA programs, and a CyberArk survey indicates 68 percent of businesses have changed their security strategies in light of the NSA leaks and recent breaches.

UN – Gov’t Surveillance “Almost Certainly Illegal”

The United Nations (UN), “in a damning but cautiously phrased report,” recommends that governments review national laws and policies to assess whether they are in line with international human rights law. UN High Commissioner for Human Rights Navi Pillay said, “The very existence of a mass surveillance programme creates an interference with privacy,” adding, “The onus is on the state to demonstrate that such interference is neither arbitrary nor unlawful.” Meanwhile, two UK electronic surveillance programs were publicly debated on Tuesday, according to The Wall Street Journal. Members of the UK Parliament voted 498 to 31 to approve the “Data Retention and Investigatory Powers” bill. [GigaOM]

WW – Sleep Sensor Promises to Keep Bedroom Data Safe

Sense, a device promising to help people sleep better by tracking everything that happens at night in their bedrooms, raised $500,000 almost instantly on crowd-funding website Kickstarter this week, Forbes reports. Sense works when users attach movement-sensing “sleep pills” to their pillows that know when they go to bed and when they actually sleep. A microphone collects five-second sound snippets at a time, which are sent back to Hello Inc., the company that created Sense, so users’ can play back the sounds the next morning to know what may have disturbed them in the night. CEO James Proud said the company understands the privacy concerns and is aiming for full transparency on its data uses. [Full Story]

WW – Snowden on Cloud Service Providers and Naked Photos

In a recent media interview, Edward Snowden discussed cloud storage services and how some do a better job protecting user data from government surveillance than others. Snowden said Dropbox is “hostile to privacy,” while calling for more services that provide users with zero-knowledge systems whereby the service provider hosts and processes the information for its customers without actually having access to it themselves. Snowden said SpiderOak is one such service. In the same video interview, Snowden also alleged U.S. National Security Agency employees often share intercepted sexts—”an intimate nude photo of someone in a sexually compromising situation,” he said. Snowden said such privacy violations go unnoticed by oversight authorities “because the auditing is so weak.” [The Guardian]

US – PCLOB Expected to Investigate EO 12333

The Privacy and Civil Liberties Oversight Board (PCLOB), which has already conducted investigations and produced reports on sections of the USA PATRIOT Act and Foreign Intelligence Surveillance Act, is expected to focus its efforts on investigating a little-known but powerful U.S. intelligence mandate: Executive Order (EO) 12333. EO 12333 has no oversight and very little congressional review. EO 12333, which was originally issued in 1981 by President Ronald Reagan, specifies that the National Security Agency has control of signals intelligence collection overseas. However, the nature and scope of the collection have not yet been made public. [The Washington Post]

FI – ‘Big Brother’ Airport Installs World’s First Real-Time Passenger Tracking System

Civil liberty groups criticise a new tracking device at Helsinki Airport that can monitor passengers’ footsteps, from arrival at the car park to take-off. All mobile phones logged into the Wi-Fi network at Helsinki Airport will be monitored by an in-house tracking system that identifies passengers’ real-time movements. The technology has been criticised by privacy advocate groups, but is said to be aimed at monitoring crowds and preventing bottlenecking at the airport, which sees around 15 million passengers a year, Bloomberg reports. Currently at its initial phase, the full tracking system is expected to be in place by the end of this year which could enable shops to specifically target passengers that are within their vicinities, such as a deli that could alert a passenger walking by of a certain item on sale. All data collected is said to be in aggregated form, preventing any personal information from being seen by Finavia Oyi, the Finnish Civil Aviation Administration operating the airport, as the software discards any unique identifiers of devices, claims Tuomas Wuoti, the CEO at Walkbase. But software security analysts find it hard to believe “location tracking is only left at statistics” levels. [The Telegraph]

US – New York Knows Where Your License Plate Goes

In a crime-fighting tactic that sets civil libertarians’ teeth on edge, police in Monroe County and other urban counties across New York state are collecting and archiving tens of millions of records that track vehicle movement. The records are stored in a series of loosely connected secure computer servers, accessible directly or indirectly by police from one end of New York to the other and by federal Homeland Security officials. Each of the records, which are gathered by license plate cameras mounted on police cars or at fixed locations, includes a photograph and the time and place that a particular vehicle was imaged. Strung together, the records can paint a picture of where a person has traveled — whether to the scene of a crime, a doctor’s office or to church. The system can instantly alert patrol officers of a “hit” on a stolen car or, more often, a vehicle whose registration has lapsed and is ripe for ticketing. Stored records also can be accessed later as part of criminal investigations. [Rochester Democrat & Chronicle]

Telecom / TV

WW –New App Brings Free Encrypted Calling to iPhones

Open Whisper Systems, an open-source software group, has announced the release of Signal, a free iOS app allowing users to easily encrypt calls. Similar to Silent Circle, Signal uses ZRTP encryption and both the calling and receiving parties must have the app installed. But while Silent Circle is paid for by users, Signal will be funded by donations and government grants. Open Whisper’s Moxie Marlinspike says two main priorities are call quality and ease of use, adding, “The hard part is developing a product that people are actually going to use and want to use.” While he admits “there are always unknowns,” Marlinspike says Signal’s security protections relating to eavesdropping are “probably pretty great.” [WIRED]

WW – Apple iOS Diagnostics Tool Could be Exploited to Access Personal Data

Diagnostic services built into Apple’s iOS mobile operating system could be used to access personal data in iPhones. The services, which Apple says are designed for engineers, are not documented. Apple says that the feature was not designed to let the NSA access data in the devices. [Reuters] [The Register]

BR – Brazilian Telco Oi Fined $1.59 Million for Privacy Violations

Brazilian telecommunications firm Oi has been fined $1.59 million (3.5 million reais) for violating users’ privacy. The Consumer Protection and Defense Department (DPDC) fined the company after it found it had sold consumer browsing data to third parties. “The company, under the pretext of improving the browsing experience, hid from customers essential information about the service and its implications for privacy and the safety of their personal data,” said DPDC Director Amaury Oliva, adding, “At no time were customers told that their browsing would be monitored by the company and that their profile would be sold to advertising companies.” [EFE]

US – Class-Action Claims iPhones Spy on 100 Million Users

A class-action lawsuit filed in federal court alleges Apple uses the location service function on iPhones to spy on customers and give their private information to third parties. Chen Ma, the lead plaintiff, has sued on behalf of approximately 100 million iPhone users alleging privacy violations. “In or around September 2012, Apple released iPhone 4, which contains an iOS operating system software that enables iPhone 4 to track its users’ whereabouts down to every minute, record the duration that users stay at any given geographical point and periodically transmit these data stored on the users’ devices to Apple’s database for future references,” the complaint alleges. [Courthouse News Service]

US Legislation

US – Tech Companies Support Strengthened Leahy NSA Reform Bill

Sen. Patrick Leahy (D-VT) introduced the USA FREEDOM Act, and proponents “lined up … to praise the bill.” Leahy sought input from the tech industry, privacy groups and the Obama administration, and the bill is being lauded as a compromise by all of those groups. A previous version of the bill, after being gutted, passed in the House but lost the support of the tech industry due to the revisions. The current version includes curtailing bulk data collection, setting rules for the destruction of irrelevant information and creating congressional oversight. Jennifer Granick of the Stanford Center for Internet and Security notes, however, that while it does most of what civil liberties groups and others have asked for, it fails to address FBI surveillance. [TechCrunch]

US – Missouri to Vote on Digital Privacy; State Sen. Aims to Protect SSNs

While the U.S. Supreme Court recently upheld privacy protections against police searches of cell phones, Missouri voters will vote next week on a ballot measure that would require police to obtain a warrant before searching or seizing “electronic communications and data,” including cellphones, emails and flash drives. Meanwhile, a Missouri senator has introduced a measure he believes will garner bipartisan support that would end the state’s practice of posting death certificates 50 years and older online with Social Security numbers readable. Sen. Paul LeVota (D-Independence) said the Office of the Secretary of State has indicated it wouldn’t be opposed to changing the law. [Associated Press] [US: Voters to decide on electronic privacy]

US – NY Legislature Approves “Revenge Porn” Bill, Awaits Governor’s Approval

The New York legislature has passed a revenge porn bill that is now headed to the governor’s desk for signature [Rockland County Times] SEE ALSO: [Sweden’s justice minister announced the appointment of an investigator to produce a report on online slander—particularly revenge porn] See also Rhode Island passed a social media privacy law and Revenge porn laws went into effect in Colorado and Idaho. And The Massachusetts Senate passed a social media bill protecting students and job applicants from having to disclose online account information. It now heads to the governor for a signature.

US – Sens. Introduce Bill to Update FERPA

Sens. Ed Markey (D-MA) and Orinn Hatch (R-UT) introduced the Protecting Student Privacy Act, which would update the Family Education Rights and Protection Act, on Wednesday. The proposed legislation “clearly spells out information security practices and data responsibilities for both education institutions and outside parties.” The bill would also tie educational funding to whether schools follow the bill’s provisions, the report states. Schools that include personally identifiable information when unnecessary, don’t require third parties to destroy data that is no longer needed and don’t implement security policies to protect sensitive data would not receive funding. [Government Technology] See also: [Education Data Frontiers: Industry Could Provide the Answers]

Workplace Privacy

CA – Remote Staff Never Out Of Employer’s Eye

While studying history at the University of Waterloo in Waterloo, Ont., Tim Lichti started a lawn-cutting company and felt a need to get a better handle on tracking his workers as they moved from job site to job site. So he went looking for ideas, and in the process developed what would eventually become Guided by the principle that staff are usually the biggest cost for almost any company, Mr. Lichti realized the importance of having an understanding of how those resources are being deployed. developed an app that works with almost any mobile device and provides employers with an almost instant update on where their staff are at any given moment during the workday, and how long they are spending on particular tasks. The app isn’t just for lawn maintenance businesses – it can be used by any company that has remote employees. Workers have to clock in and out on the app, so it also allows managers to easily record hours worked for payroll purposes, and the app also allows time- and datestamped pictures to be uploaded, which aids in time-specific jobs. Waterloo-based is also developing software that permits mobile workers to process invoices, estimates and payments on the road. [The Globe and Mail]


01-15 March 2014


US – Police Department Wins Right to Use Facial Recognition

A Seattle City Council vote means the Seattle Police Department will now be able to use facial-recognition software to identify suspects caught on video. “We are already doing this work, but it’s manual,” said police spokesman Mark Jamieson. “This would just speed up the process.” The program is funded by a $1.64 million grant from the Department of Homeland Security. [NBC News]

US – With Facial Recognition, You Can Help Shape Self-Regulation

The National Telecommunications and Information Administration has, to date, held two meetings with the ultimate goal of creating a code of conduct in line with the White House’s Consumer Privacy Bill of Rights. In the second meeting, held at the end of February, it was decided that the focus of the talks will be on commercial, not government, use of facial recognition. “So,” writes Leslies Dunlap, a specialist in Internet and technology policy, “it is time for developers of commercial facial recognition technologies and the entities using them to ‘face it’ and take action.” Dunlap looks into the ways privacy pros, technologists, academics, industry, government and privacy advocates can help shape the contours of this technology. [Full Story]


CA – Are You Ready for CASL?

Though the government has promised to help coach proactively through the transition, organizations would be wise to start taking steps toward compliance with Canada’s anti-spam legislation (CASL), which becomes effective July 1. CASL will affect any individual, business or organization that uses commercial electronic messages (CEMs) or transmits data in electronic messages. In short, it requires senders to obtain express consent for commercial electronic messages. Angelique Carson examines the law’s provisions with insights from industry and privacy experts including University of Ottawa Prof. Michael Geist, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic’s Tamir Israel and Industry Canada’s Michel Cimpaye, along with tips on how to prepare from nNovation’s Shaun Brown. ” [The Privacy Advisor]

CA – Student Loans Breach Class-Action Certified

The Federal Court of Canada has certified a class-action lawsuit over a Canada Student Loans privacy breach ”related to a hard drive lost by Human Resources and Skills Development containing personal information about 583,000 student loan borrowers.” Bob Buckingham, one of the lead counsels on the case, called the move a “major step forward,” adding, “The legal team will now focus its energies on moving the matter to conclusion as quickly as possible.” He said there is “significant interest” in the class action. “Anyone who received a Canada Student Loan between 2000 and 2006 from any province except Quebec or the territories of Nunavut or the Northwest Territories can register as potential claimants,” the report states. [Nova News Now]

CA – Bell Canada Case: A Challenge to Interest-Based Advertising

Should telecommunications providers be able to use their subscribers’ behavioral information to sell advertising? And are rules stricter than PIPEDA needed for telecoms? A complaint over Bell Canada’s practices brought before the CRTC may end up determining the answers to these questions. Timothy Banks of Dentons Canada LLP writes that if the CRTC agrees with the Public Interest Advocacy Centre and the Consumers’ Association of Canada that “more detailed privacy rules are needed for telecommunications carriers … this could represent one of the most important developments in the evolution of privacy law in Canada since the enactment of PIPEDA.” [Privacy Tracker]

CA – Canadian Officials: Don’t Loosen Control Over Personal Data

A paper presented by Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin Data Protection and Freedom of Information Commissioner Alexander Dix and Prof. Khaled El Emam responds to proposals to change the OECD guidelines. Reducing controls over the collection and use of personal data, they write, would “weaken rather than strengthen” privacy, the report states. “Leaving it up to companies and governments to determine the acceptable secondary uses of personal data is a flawed proposition,” they write. [The Globe and Mail]

CA – Privacy Concerns Raised by Marc Mayrand Over Election Changes

Canada’s top election official is raising concerns about privacy, pointing out that the government’s proposed changes (C-23) to election laws include letting parties have lists of who cast ballots. The document points to two measures that could be privacy concerns:

  • Giving parties a copy of all statements of voters who have cast ballots.
  • Letting candidates’ representatives examine voters’ identification.

Elections Canada officials said parties and candidates can have the information now, but not in a way that would let them collect it in a systemic, broad-based way.[Source]

CA – Amidst Breaches, Clayton Calls for Stronger Laws

Alberta Information and Privacy Commissioner Jill Clayton has asked Health Minister Fred Horne to “strengthen provincial privacy legislation to include mandatory disclosure of all health information breaches.” In her letter Thursday, Clayton asked Horne “to consider amending the province’s Health Information Act, which requires ‘custodians’ to protect the personal health information of Albertans,” the report states, citing the recent revelations about the Medicentres data breach involving the health information of 620,000 Albertans. Meanwhile, CBC News reports a recent University Hospital Centre breach is being called “unprecedented,” andPHIPrivacyNet reports on an incident at a Shoppers Drug Mart where a customer was given a note with a medication name on one side and “the names, medications and phone numbers of five different people” on the reverse. [Edmonton Journal] [Alberta: Health law needs reform, says provincial privacy watchdog]

CA – Opinion: Canada Should Not Enforce FATCA

James George Jatras criticizes the recent “so-called ‘intergovernmental agreement’ to enforce FATCA, the U.S. Foreign Account Tax Compliance Act, in Canada.” Among the issues he raises with that decision are questions about privacy. He writes that “even FATCA’s advocates concede that direct enforcement is ‘wholly unachievable’ due to privacy protection laws in many countries that don’t allow personal data to be sent to unauthorized recipients … The primary purpose of the agreement is to nullify protections under the Bank Act, the Personal Information Protection and Electronics Documents Act, the Canadian Human Rights Code and especially the Charter of Rights and Freedoms.” [Op-ed for The Toronto Star]


US – Pew Report Looks at Digital Life in 2025

As part of a yearlong effort to recognize the 25th anniversary of the creation of the World Wide Web, the Pew Research Internet Project has released an extensive report predicting what the digital landscape will look like over the next 10 years. The report, Digital Life in 2025, is based on interviews with 2,558 experts and technology builders to discuss the future of privacy, cybersecurity, the Internet of Things and net neutrality. “In their responses,” the Pew report states, “these experts foresee an ambient information environment where accessing the Internet will be effortless and most people will tap into it so easily it will flow through their lives ‘like electricity.’” In addition to identifying a number of positive advances, many experts also expressed concerns about diminished privacy. [Full Story] See also: [Canada: Grocery apps save money — and track shoppers]

US – Android Users Proceed With Privacy Case Against Google

A judge has refused to dismiss several privacy-related claims by a group of Android users over allegations the company shared their location data and other personal information with app developers. Despite Google’s argument the claims should be dismissed because of a lack of injury, U.S. District Court Judge Jeffrey White ruled that the consumers can proceed with claims the company violated California law on business practices because of their allegation that their mobile devices’ battery life was shortened due to the data transmissions. The suit dates back to 2011. [MediaPost News]


US – “Raw Take” Order Changed Info-Sharing Policy in a Big Way

Intelligence officials consider a milestone in the history of spying and privacy law: the “Raw Take” order weakened restrictions on sharing information about Americans, the report states, and came down 10 months after the Sept. 11 attacks at the request of the Bush administration. It was revealed via documents provided by former NSA contractor Edward Snowden. Before the order, intelligence agencies could share information gathered from court-approved wiretaps “only after deleting irrelevant private details and masking the names of innocent Americans who came into contact with a terrorism suspect.” But that dramatically changed. [The New York Times]

CA – Statistics Canada Reviewing How It Gathers Data

The federal statistics agency will undertake a comprehensive review of how it collects key data about the Canadian population. The review is outlined in the main estimates tabled in Parliament, where Statistics Canada announced it was cutting its expected spending by more than $21 million — a 5% cut from the estimates it tabled last year. In explaining the changes in its spending for the coming fiscal year, Statistics Canada noted that its will conduct a “comprehensive review of the potential for administrative and other alternative data sources to replace, complement or supplement” the census and National Household Survey. The agency also says its spending will focus, among other things, on redesigning “major survey programs to ensure their continued relevance and effectiveness.” [Source]

Electronic Records

US – Obama Proposes “Cybersecurity Campus” in 2015 Budget

With cybersecurity dominating the headlines, from the massive retail data thefts to the hacks of Bitcoin exchanges that have wiped out millions in wealth, it is perhaps no surprise that U.S. President Barack Obama is calling for budget to address the problem. In his 2015 request, released this week, he calls for a “cybersecurity campus,” a 650,000-square-foot, $35 million building to house cybersecurity experts from agencies such as the Department of Homeland Security and the Department of Justice, International Business Times reports. This would “co-locate key civilian cybersecurity agencies to promote a whole government approach to cybersecurity response,” a spokesman said. [Full Story]


WW – As Breaches Continue, Are Self-Encrypting Drives the Answer?

While breach reports continue—one of the most recent being an “insider breach” at a UK store that resulted in the payroll data of approximately 100,000 employees being posted online—Samsung says self-encrypting drives are the way companies can better protect their own and their clients’ data. Swapping out a PC’s hard-drive disk for a “solid state drive” with “self-encrypting drive” technology is simple and effective, as such drives can’t be disabled and encryption is transparent to users. [PC Magazine]

EU Developments

EU – Parliament Overwhelmingly Votes for Data Protection Regulation

The European Parliament voted with overwhelming support for the proposed European General Data Protection Regulation (GDPR). The procedural move ensures that the regulation, which has been in legislative process for more than two years, stays on the table, even after this May’s parliamentary elections. Covington & Burling Special Counsel Monika Kuschewsky and European data protection expert Eduardo Ustaran provide analysis of the vote and look forward to the next steps in the long evolution of the proposed GDPR and what businesses can expect moving forward. [Privacy Tracker]

EU – Reding Highlights Data Portability While Stumping for New Regulation

Saying “Citizens should be able to transfer their data from one service provider, such as a social network, to another — just as they are able to keep their mobile number when changing telecoms operators,” EU Justice Commissioner Viviane Reding called strongly for passage of new data protection regulation in a speech before the Justice Council. Noting the European Parliament will vote on the data protection package on March 12, she said the Commission supports the Greek Presidency’s language and that “transfers based on adequacy, on so-called appropriate safeguards (such as binding corporate rules) or on well framed derogations which are the exception not the rule” are sufficient mechanisms for international data transfer, which might raise questions about the future of Safe Harbor. However, one report says Great Britain will be bent on filibustering progress. [Full Story]

WW – DPAs, FTC Unveil Cross-Border Data Transfer Tool

After a year of collaboration on the effort, the U.S. FTC, together with data protection authorities from around the world, held a press conference at the IAPP Global Privacy Summit to announce a joint agreement between G29 and APEC countries aiming to aid companies in achieving compliance with global data transfers. Speaking for the group, Isabelle Falque-Pierrotin, chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party, said the tool, called a “referential,” is a “very political and symbolic act” for companies seeking to obtain double certification under Europe’s binding corporate rules (BCRs) and APEC’s cross-border privacy rules (CBPRs). [Full Story]]

EU – A Deeper Look at the Future of Safe Harbor

Recently, the European Parliament not only ensured the proposed EU General Data Protection Regulation isn’t going away, it also overwhelmingly voted to call for the immediate suspension of Safe Harbor, something privacy expert Eduardo Ustaran said “has sent some powerful shockwaves across the business and legal communities in the EU and beyond.” Though the vote was not entirely unexpected, Ustaran writes, “The big question that remains on the ground is whether EU-based organizations that rely on Safe Harbor as a legal basis for transferring data … are doing the right thing or should be looking for alternatives.” Ustaran answers that question and provides insight into the rules governing the future of Safe Harbor. [Full Story]

EU – An EU Perspective on IoT Data Protection

Each day, the opportunities and challenges of Internet of Things technology become clearer. Technology is making information flows easier, but recent news that a smart fridge was hacked and sent out spam brings to the forefront the data protection challenges inherent in this burgeoning landscape. “As European regulators grapple with the challenges and complexities of formulating a technology-neutral data protection regulation, the difficulties of applying ‘traditional’ concepts such as consent, purpose limitation, transparency, data deletion, accountability and security to the data processing activities carried out by an ‘Internet-ready’ kitchen appliance become readily apparent,” writes Field Fisher Waterhouse’s Brian Davidson. [Privacy Perspectives]

EU – Websites Placing Unsolicited Cookies; Lawsuit Ramifications Examined

Websites based in The Netherlands placing “unsolicited cookies” on site visitors’ computers. The sites are “violating privacy laws that stipulate cookies may be placed only after receiving visitor permission,” the report states, referencing a study by two entrepreneurs. “Almost one-third of Dutch sites place cookies onto PCs and smartphones during a first visit and without permission,” the report states. Mondaq, meanwhile, reports on a recent case, Vidal-Hall and others v Google Inc., as potentially having “important ramifications for individual Internet users and businesses who send targeted advertisements to those users.” [Telecompaper]

EU – CNIL Gets Online Investigation Powers

French data protection authority the CNIL has received remote inspection abilities under Law No. 2014-344, passed last week. On top of onsite inspections, document reviews and hearings, the CNIL will now have the ability to remotely investigate violations of the French Data Protection Act, such as whether privacy notices comply or organizations get user consent prior to sending e-marketing messages. [Hunton & Williams’ Privacy and Information Security Law Blog

EU – CNIL Guidelines Address Online Purchases, More

New guidance from French Data Protection Authority, the CNIL addresses online purchases, direct marketing, contests and sweepstakes and consumer tracking. The report looks at each section, highlighting key points from the guidelines. For example, in its section on online purchases, the report explains that the guidelines “make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent.” Separately, a Mondaq report examines the CNIL’s guidance for businesses operating in France. [Hunton & Williams’ Privacy and Information Security Law Blog]


WW – Visa, MasterCard Announce Effort to Strengthen Payment Systems

Visa and MasterCard announced they are bringing together large and small banks, credit unions, retailers, makers of card-processing equipment and industry trade groups in an effort to work together to strengthen the U.S. payment system. The collaborative effort aims to advance the migration to chip cards as well as point-to-point encryption. As of late, there’s been industry bickering over who is to blame following recent data breaches at major retailers. Meanwhile, the U.S. Commodity Futures Trading Commission has issued a staff advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley provisions on data security and customer privacy, and venture capital firms have begun investing in cybersecurity companies with record amounts. [Associated Press] [Source]

SK – Financial Firms Will Face Steep Breach Fines

South Korea’s financial regulator has announced financial firms may be fined as much as 3% of their global turnover when responsible for breaches of personal information. Additionally, clients will be granted an option to revoke consent to provide their personal information. The Financial Services Commission also said financial firms must delete clients’ data after termination of financial transactions and may not share the data with affiliates beyond a given time limit. The proposed measures are slated to go into effect in the second half of this year. [Yonhapp News Agency]


CA – Ottawa Imposes Life-Long Gag Order on Bureaucrats, Lawyers

Ottawa has slapped a life-long gag order on bureaucrats and lawyers working in a number of government agencies dealing with sensitive national security information. The changes enacted this week, and published in the Canada Gazette, reveal employees in 12 government divisions — five of which have been disbanded — are now subject to provisions under the Security of Information Act that permanently binds them to secrecy. Those employees, mostly Department of Justice lawyers and senior bureaucrats at the Privy Council Office, could face as much as 14 years in prison for disclosing “special operational information” without authorization. But while the government maintains the secrecy is necessary to maintain Canada’s most “operationally sensitive” information, critics say it’s designed to discourage whistleblowing and hamper the public debate now swirling around modern state espionage.[Source] See also: [One-fifth of B.C. info requests come up empty] and [Brampton ordered to release winning bid documents on $205M contract] and [Ireland: FOI legislation ‘violates privacy of individuals’, Varadkar claimed]

US – House Passes FOIA Reform Bill

The U.S. House of Representatives has passed the FOIA Oversight and Implementation Act of 2014. The bill would strengthen the Office of Government Information Services, require agencies to update their FOIA regulations, and mandate the use of a single, free website for submitting FOIA requests and appeals and receiving information about the status of the FOIA request. The bill would also require that agencies seeking to withhold information under one of the FOIA’s exemptions demonstrate that there would be a “specific identifiable harm,” tied to the purpose of the exemption, if disclosure occurred. The bill does not address several key transparency community proposals, including recommendations to limit the use of exemptions and to make it easier to track legislative proposals for new FOIA exemptions. The Senate is currently considering a similar bill. [Source]

CA – Internet Firms Play Coy on How They Share Info With Police, Government

Internet companies have hung up on a call by privacy advocates to reveal the extent to which they share subscriber information with police, security services and government. The Citizen Lab at Toronto’s Munk School of Global Affairs reported that Canada’s most prominent ISPs have largely dismissed its requests to publicly explain the nature, scope and circumstances of demands by state agencies for private customer data. The lab, joined by a dozen leading Canadian Internet and privacy academics and civil rights organizations, sent letters in January to 16 Internet and phone companies asking how often, when and why they disclose private and personal information to state agents. Ten companies replied, but generally avoided or refused to respond to the specific questions put to them, said Christopher Parsons, a post-doctoral fellow at the lab who organized the campaign. The project follows a January report to Parliament from the Office of the Privacy Commissioner calling for reforms to federal privacy legislation to curb the “over-collection of personal data” by federal security intelligence services, police and departments. [Source] See also: [Ontario bill would require MPPs to post expenses online]

Health / Medical

US – Study: Healthcare Criminal Attacks Up 100% Since 2010

Though the number of healthcare breaches declined slightly last year, criminal attacks are up 100% since 2010, according to a new Ponemon Institute study. The Patient Privacy and Data Security study also suggests one of the key factors in breaches is poor employee privacy protection practices. “The people in the healthcare industry are good people who sometimes do stupid things, and that is the source of a lot of the problems,” said Larry Ponemon of the Ponemon Institute, adding, “They’re trying to get their work done; they feel under pressure; they’re in the business of caring for patients, and they don’t want to waste time to do more security or take that extra step to protect privacy.” Meanwhile, The Seattle Times reports that Skagit County will pay $215,000 in fines stemming from a 2011 healthcare-related breach. [Full Story] See also: [B.C. family furious teen vaccinated without parental consent]

US – Wesley’s Patient Portal Gives Patients Access to Electronic Health Records

Patients at Wesley Medical Center and its affiliated campuses can now access the hospitals’ electronic medical records anywhere they have an Internet connection, including via a mobile device. Wesley launched Patient Portal for adult patients at Wesley Medical Center, Galichia Heart Hospital and Wesley West ER. Access for pediatric patients is coming soon, Wesley said in a news release. Patients who use the system will be able to see records of allergies, conditions, discharge summaries, hospital visit histories, lab results, medications, medication instructions, radiology reports and upcoming appointments. The information is downloadable, so patients can bring a paper copy to doctor’s visits. Patients will be provided login information at their next hospital visit. [Source] See also: [Telus unit buys B.C.-based electronic medical records company]

Horror Stories

UK – Hacker Blackmail Leads to Fine for Pregnancy Advice Service

The British Pregnancy Advice Service has been fined 200,000 GBP by the Information Commissioner’s Office (ICO) following a malicious hack and blackmailing incident. Though police recovered the data before a hacker could go through with a threat to publish the names, addresses and contact information of women who’d used the service for advice on pregnancy issues, the ICO still chose to fine the charity because it didn’t realize its website was storing the information and it further was not storing the information securely. “Ignorance is no excuse,” said Deputy ICO Commissioner and Director of Data Protection David Smith. “It is especially unforgivable when the organization is handling information as sensitive as that held by the BPAS.” [Full Story] See also: [Privacy breach at London Shoppers Drug Mart stuns customer] and also: [AU: Telstra fined after breaching privacy of 15,775 customers] and [Australia faces lawsuits over asylum seeker data breach]

US – Another 282K Credit and Debit Card Numbers Up for Sale

Another “massive” data breach, purportedly the result of a hack at beauty supply chain Sally Beauty. Cybersecurity blogger Brian Krebs reports another 282,000 stolen debit and credit cards went up for sale on underground marketplaces this week, and he believes they were used “at one of Sally Beauty’s 2,600 stores.” Sally Beauty’s Karen Fugate walks Krebs through their investigation of the breach, however, and says, while suspicious activity was noticed by February 24, they’ve still been unable to find the source of any breach. Meanwhile, CMAJ reports medical data breaches were up 137 percent in 2013 over 2012. [Businessweek] See also: [Attackers trick 162,000 WordPress sites into launching DDoS attack]

Identity Issues

WW – Man Pleads Guilty to Running ID Theft Service

A Vietnamese national has pleaded guilty to running an identity theft service after being arrested last year in Guam by U.S. Secret Service agents. Court records indicate Heiu Minh Ngo “tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans,” the report states, noting, “the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search,” which had a contractual agreement with Califorina-based Court Ventures. Ngo was able to access records there posing as a private investigator, the report states, making “available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.” [Krebs on Security] [US: 200M consumer records exposed in Experian security lapse]

US – New Study Finds Metadata Invades Privacy

Researchers at Stanford University have released findings from a study on the privacy implications of metadata. Using an app designed to mimic NSA metadata collection capabilities, 546 volunteers allowed the researchers to access their calling and texting data. Stanford’s Johnathan Mayer said, “We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. We were able to infer medical conditions, firearm ownership and more, using solely metadata.” The U.S. government has argued that metadata does not invade users’ privacy. Stanford Center for Internet and Society Civil Liberties Director Jennifer Grannick said the study “adds important empirical evidence to support what is now a growing consensus,” adding, “Metadata surveillance endangers privacy.” [Ars Technica] [US: Volunteers in metadata study called gun stores, strip clubs, and more]

Internet / WWW

US – An Update on the EU and APEC Roadmap

Senior Counsel for Privacy and Information Governance John Kropf together with Malcolm Crompton have recently suggested “that the challenge for global data flows was interoperability but that there was reason for optimism between the world’s two largest economic entities: the EU and the Asia-Pacific Economic Cooperation (APEC).” Since then, the Article 29 Working Party and the APEC Data Privacy Subgroup released their review. “This may be one of the EU’s most significant developments in the area of cross-border data transfers,” Kropf writes, “and potentially positive news for companies operating in both the EU and APEC regions.” [Privacy Perspectives]

EU – Proposition: EU Regulation with U.S. Penalties

Is the often abstract scholarship of privacy academics read by privacy regulators? It would seem that regulators may not have the time or inclination to read such work. On Wednesday, however, it was clear the answer was yes in many respects. Squeezed into a small room in the Rayburn House Office Building in Washington, DC, a handful of privacy scholars met briefly with some of the world’s most influential privacy regulators to discuss the future of public policy and the role of the privacy regulator as part of “Privacy Papers for Policy Makers,” co-organized by the Future of Privacy Forum and Rep. Sheila Jackson Lee (D-TX). [Full Story]

US – In the Privacy Debate, the Conventional Wisdom Is Wrong

Everybody knows the conventional wisdom: United States privacy law is weak and fractured, with neither comprehensive data protection legislation nor a dedicated privacy enforcement authority. The European Union is the gold standard of global privacy regulation, with its omnibus Data Protection Directive and collective force of 28 national data protection authorities. Alas, as is so often the case, conventional wisdom is wrong. IAPP VP of Research and Education Omer Tene lays out just why that is. Meanwhile, Karlin Lillington writes for The Irish Times on “the obvious disjunct between mainstream American and European views on privacy.” [Privacy Perspectives]

WW – The Global Competition Between Privacy Models

“Countries around the world are struggling to decide whether to adopt data protection law based on the proposed EU Data Protection Regulation or to use a U.S. approach to privacy protection,” writes Christopher Kuner of Wilson Sonsini. The result, he notes, is a “competition in global data protection policymaking, with the European Commission on the one side and the U.S. government on the other side, both lobbying other countries to follow their respective models.” Kuner looks into the global competition and analyzes, as an example, the current reform efforts in Japan through the lens of the U.S. and EU data protection approaches. [Privacy Perspectives]

WW – Group Alarmed Over Potential OECD Changes

A group of privacy regulators and experts have raised alarm at a potential privacy change in the Organisation for Economic Co-operation and Development (OECD) guidelines. Ontario Information and Privacy Commissioner Ann Cavoukian, University of Ottawa Prof. Khaled El Emam and German Data Protection Commissioner for the State of Berlin Alexander Dix—all of whom wrote a Privacy Perspectives blog post here—recently published a report expressing concern about a proposal they say will diminish privacy in the OECD guidelines. The report that caught their attention was written by Indiana Law Prof. Fred Cate, Microsoft’s Peter Cullen and Oxford Prof. Victor Mayer-Schonberger—who wrote an earlier blog post here—and recommends restoring “the balance between privacy and the free flow of information … and avoid(ing) suppressing innovation with overly restrictive or inflexible data privacy laws.” Cavoukian has called the proposals “alarming,” the report states. [IT World Canada] [Paternalistic Approach to Privacy Will Deliver Unintended Consequences]

Law Enforcement

US – Seattle Police Department Wins Right to Use Facial Recognition

A Seattle City Council vote means the Seattle Police Department will now be able to use facial-recognition software to identify suspects caught on video. “We are already doing this work, but it’s manual,” said police spokesman Mark Jamieson. “This would just speed up the process.” The program is funded by a $1.64 million grant from the Department of Homeland Security. The plan’s approval follows a recent vote regulating the use of unmanned drones by law enforcement after the city bought two. Now, law enforcement can’t use drones without warrants, except in emergency situations. [NBC News]

Online Privacy

US – Privacy Groups Urge FTC to Block Facebook-WhatsApp Deal

In a complaint filed with the FTC, EPIC and CDD are seeking to block Facebook’s recent purchase of WhatsApp, citing concerns that the sale would harm WhatsApp users by allowing their data to be integrated into Facebook’s large advertising business. The privacy groups have said Facebook has a track record of changing its privacy policy, highlighting the changes it made after it purchased Instagram in 2011. They argue the practices are deceptive because users do not expect privacy policies to change, the report states. “WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data-collection practices,” said EPIC’s Julia Horwitz. Facebook has said WhatsApp “will operate as a separate company and will honor its commitments to privacy and security.” [The Washington Post]

US – Nonprofit Brings Transparency, Better Privacy to Online Data Industry

A data privacy nonprofit has announced the appointment of inaugural board members, including Allen Brandt and Lisa Grant to help it bring “a revolutionary way of thinking about Internet data.” DataNeutrality “aims to increase awareness of the need for businesses to take control of their data.” In a private-public partnership, the company will serve as privacy and data governance auditor and policy advisor to startup Mezzobit. DataNeutrality Executive Director Sharon Christiansen Geddes said the Internet happens in real time, “and current standards and regulatory processes are too slow to keep pace,” adding the board will help the company spot privacy issues without waiting for industry or regulatory authorities. [Full Story]

US – Plaintiffs Say Viacom, Google Lawsuit Should Proceed

Plaintiffs are arguing that a privacy lawsuit against Google and Viacom should proceed. “Viacom and Google, for their own pecuniary gain, have systematically employed Internet cookie technology to violate minor children’s right to be let alone,” attorneys wrote in papers filed last week with U.S. District Court Judge Stanley Chesler. “Defendants have developed third-party cookies to share video-viewing histories of these children and otherwise to track the contents of the Internet communications of millions of Americans online,” they added. Lawyers for Google and Viacom have argued the case should be dismissed [MediaPost News]

US – EFF Questions Privacy Issues in Getty’s New Free Images

Bloggers and publishers of many stripes are celebrating a new plan by Getty Images to allow free use of its photography—as long as the proper embed code is used. In a post on the EFF website, Parker Higgins notes that many have reason to be excited, but privacy alarm bells are ringing: Getty, as a third-party host, “can possibly get and log your IP address and the exact time of the request” when you view that image on whichever website. Also, because Getty may be so popular, viewers will ping their servers often and from various sites, allowing for correlation of browsing history. Further, Getty has “certainly thought about” monetizing data usage. [Full Story]

US – NAI Reports on Ad Networks’ Privacy-Compliance

The Network Advertising Initiative (NAI) released its annual compliance report, which details Internet ad networks’ compliance with the group’s self-regulatory privacy guidelines. AOL’s Doug Miller said, “In completing the compliance process, we demonstrate to regulators, business partners and consumers that membership in the NAI is not a mere promise to meet high standards.” NAI President and CEO Marc Groman noted, “When self-regulation works effectively, it’s a win for consumers and industry and regulators that have limited enforcement resources,” Meanwhile, leaders from the advertising community are meeting at the White House as part of the president’s review of Big Data and privacy. GroupM’s chief operating officer said the discussion will include “how the ad choices program has helped us treat privacy, that we do it responsibly and have put protections in place.” [AdWeek]

WW – Automating the Privacy Impact Assessment

Privacy compliance can be a complex endeavor, and privacy and security professionals often “believe that their compliance challenges are specific to their company, and subsequently have very little opportunity to collaborate with peers within their own companies,” writes AvePoint’s Dana Simberkoff, “much less opportunities to collaborate with peers within or across industries.” In this post for Privacy Perspectives, Simberkoff presents the new AvePoint Privacy Impact Assessment solution in conjunction with the IAPP “to bring automation to one of the fundamental tenets of a good privacy program.” This new tool “allows privacy teams to develop a Service Level Agreement with their colleagues in IT and the business,” she writes. [Full Story]

Other Jurisdictions

AU – New Laws Now In Effect in Australia

The Australian Privacy Principles are now in effect, replacing the National Privacy Principles and Information Privacy Principles, Smart Company reports. Under the new rules, businesses generating more than $3 million a year in revenue may be fined up to $1.7 million for mining Big Data or sharing or storing information without consent, the report states. One expert said the new laws are going to make it more difficult for companies to build profiles of their customers. Meanwhile, Business Insider reports on Coles’ revised privacy policy, which allows it to share customers’ information with companies in at least 23 countries, noting the policy “was released just before the new Australian Privacy Principles come into force this week, which make businesses list likely overseas recipients of personal data and conform with stricter rules.” And, the country’s healthcare and point-of-sale industries are expected to be “focal points for efforts to improve privacy protections in the wake of new privacy controls,” CSO reports. IAPP Westin Research Fellow Dennis Holmes provides a detailed overview of the newly enacted APPs in this installment of the Privacy Tracker blog. [Full Story]

AU – With Australian Laws Now In Effect, Reports Examine Ramifications

It has been almost two weeks since changes to the Privacy Act went into effect, and newspapers are already reporting on the impact of some of those changes. State privacy commissioners are supporting the changes, quoting New South Wales Privacy Commissioner Elizabeth Coombs as saying, “Individuals now have more rights to find out what information is being held about them and where it is being held.” And a feature in The Sydney Morning Herald considers provisions requiring telemarketers “to disclose if asked, within a reasonable time, where they obtained your number and if it’s come from a third party. ZD Net looks at the impact of reforms on the financial sector, noting “Australia’s big four banks have been forced to provide full disclosure on what information they are collecting about their customers, how it is collected and how it is being used.” [ComputerWorld] [ZDNet]

MX – Mexico’s Regulator Plans to Issue “Abundance” of Fines

Mexico’s data protection authority (IFAI) has issued a statement announcing it will issue “an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties,” Reed Smith’s Cynthia O’Donoghue writes. The IFAI has the authority to issue fines for such violations of up to $1.5 million and up to three years imprisonment for data controllers whose databases are breached under their control, with double penalties for “sensitive data.” [Mondaq]

AU – ASIO Calling for Data Retention Laws

Australia’s federal spying agency, ASIO, “is using the Snowden leaks to bolster its case for laws forcing Australian telecommunications companies to store certain types of customers’ Internet and telephone data for a period of what some law enforcement agencies would like to be two years.” Many law enforcement agencies support the move for a data retention regime, the report states, noting questions remain about what type of data should be stored by Internet and phone providers. “ASIO argues that more people are encrypting their web communications after revelations made by U.S. intelligence contractor Edward Snowden about widespread data collection programs by governments,” the report states, adding ASIO believes this hastens the need for laws requiring providers to retain customer metadata for prescribed periods of time. [The Age] See also: [South Africa lacks a data privacy culture’]

BR – Brazil Drops Local Data Storage Provision

The government of Brazil has dropped a controversial provision in legislation some have dubbed the country’s “Internet Constitution” that would have required companies to store data on Brazilian citizens inside the country. The data storage provision was added last year after certain U.S. National Security Agency surveillance leaks revealed the agency had spied on Brazil’s president. Provisions that remain in the legislation include other privacy safeguards and limits on the gathering and use of Internet users’ metadata. Late last year, Google had testified in front of the U.S. Congres]s that local data storage laws would balkanize the Internet. [Reuters]

PH – Opinion: Philippines Cybercrime Law Has Questionable Provisions

Clayton Wood writes that citizens of the Philippines continue to rally against the country’s Cybercrime Prevention Act more than a month after the Supreme Court signed it into law. While protection against cybercrime is a plus for businesses relying on the Internet, concerns remain over a provision that deals with authorities’ access to the online behavior of individuals and one that makes libel a more serious crime online than in print media. [Tech In Asia]

Privacy (US)

US – Opinion: Pace, Relevance of Legislation Will Increase

Peter Waterhouse writes that between whistleblowing and high-profile data incidents, he expects “the pace and relevance of regulation to increase and improve.” Citing the EU breach notification regulation, which allows for fines of up to five percent of annual revenue, Waterhouse advocates for laws with sharp teeth, imagining what these kinds of fines might mean in situations like the Target and Mt. Gox incidents. “Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth,” writes Waterhouse.

Global [Information Week op-ed]

US – FTC’s Kaufman Backs Civil Penalties for Large Breaches

FTC Deputy Director Daniel Kaufman has said companies experiencing substantial data breaches should face civil penalties. If the agency had the mandate to parse out such penalties, he said, businesses would be more motivated to implement strong data privacy frameworks beforehand, limiting the number of large-scale breaches. He emphasized the importance for U.S. businesses to be more transparent and to self-regulate in order to remain competitive globally. The agency does not want to stifle innovation, he noted, adding, “We want to make sure there’s privacy out there, but we are aware there are huge benefits.” Kaufman also said the FTC is nearing completion of its data broker study. [VentureBeat] See also: [Shocked to learn how data brokers are watching you?]

US – Louisiana House Panel Delays Education Privacy Discussion

The Louisiana House Education Committee delayed discussions on a bill to limit information school districts share with the state Department of Education (DOE) due to disagreement over what information should be shared. State Superintendent of Education John White underscored that the DOE needs certain information to establish eligibility for funds, among other things, but the bill’s sponsor, Rep. John Schroder (R-Covington), says the additions White seeks would undermine the aim of the bill. HB 946 would also limit retention of student data and create new ID numbers that would replace Social Security numbers. The bill may be on hold until March 26, according to the report. [The Advocate] See also: [Manitoba: Social media privacy being taught at high school]

UK – Ucas Sells Access to Student Data for Phone and Drinks Firms’ Marketing

Access to the data of more than a million teenagers and students and thousands of their parents is being sold to advertisers such as mobile phone and energy drinks companies by Ucas, the university applications body. The Universities and Colleges Admissions Service received more than £12m last year in return for targeted advertising and sales of the emails and addresses of subscribers as young as 16. The service, which controls admissions to UK universities and attracts 700,000 new applicants each year, sells the access via its commercial arm, Ucas Media. Vodafone, O2, Microsoft and the private university accommodation provider Pure Student Living are among those who have marketed through Ucas, which offers access to over a million student email addresses and a market worth a claimed £15bn a year. The Red Bull energy drink firm promoted three new drink flavours by sending sample cans to 17,500 selected students deemed to be trend-setting “early adopters” in order to create a “social media buzz”. Applicants can opt out of receiving direct marketing, but only at the cost of missing out on education and careers mailings as well. [Source]

US – Court Rules in Favor of Plaintiffs Despite Lack of Financial Harm

A federal court in Florida recently broke the mold of dismissing consumer class-action lawsuits against companies that have suffered data breaches if the consumers haven’t suffered financially. The court approved a $3 million settlement for victims of a personal-health information breach though they suffered “no direct losses or identity theft.” Meanwhile, a small-town Colorado hospital has reported a breach affecting more than 5,000 patients after identifying a virus on its computers, and Umpqua Holdings Corp. has filed a class-action against Target, but this suit is a bit different; it alleges violations of the Minnesota Plastic Card Security Act. [Computerworld] and [Malware threats making anti-virus software ‘totally useless’]

US – Court Rules Eavesdropping Law Unconstitutional

The Illinois Supreme Court has unanimously ruled that one of the nation’s toughest anti-eavesdropping laws is unconstitutional. The 1961 Illinois Eavesdropping Act made it a felony to record a conversation without the consent of all parties involved, but the court ruled the law violates free speech and protections for due process. In People v. Melongo, the court concluded the law’s recording provision “burdens substantially more speech than is necessary to serve a legitimate state interest in protecting conversational privacy.” The justices also wrote, “the statute’s scope is simply too broad.” In a separate case, the Ninth Circuit reinstated a class-action lawsuit against Hilton Worldwide, where the plaintiffs argue the company violated California privacy law by recording service calls. [Associated Press]

US – California DNA Collection Law Upheld

Civil liberties advocates are decrying the recent decision of a special 11-judge Ninth U.S. Circuit Court of Appeals panel, which unanimously upheld California’s law “allowing collection of DNA samples from anyone arrested on a felony” charge . The panel cited a Supreme Court ruling from last year that backed a similar Maryland law, and it rejected an ACLU argument that the California law is broader than Maryland’s and more of a privacy threat because Maryland’s law only permits collection from those charged with a “serious felony” and after a judge finds probable cause. However, the panel did suggest advocates return to a lower court and challenge the law on narrower grounds. [San Jose Mercury News]

US – HIPAA Changes Mean Tightening Up Vendor Relationships

With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information-security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. David Holtzman and Erin McMillan drill down on how to comply with the changes:. [The Privacy Advisor]

US – Google Sued for Student Mining; Wins Class-Action Denial

Google has been sued for scanning and collecting student data in its Apps for Education program and using the data to build profiles of the students. The lawsuit is currently making its way through a federal court in California and is represented by EPIC. The group argues the practice violates the Family Educational Rights and Privacy Act and may violate federal and state wiretap laws. Meanwhile, in a separate case, a federal judge has denied a request to combine multiple privacy complaints against Google into one class-action lawsuit. Though the ruling does not settle the dispute, it is a setback for the plaintiffs. [International Business Times]

US – Privacy Activists, Medical Groups Disagree on MN Infant Screening Program

In Minnesota, a bill to amend a newborn screening law to authorize a bio bank is causing concern for privacy activists. The bill would allow the state’s Department of Health to retain newborns’ blood samples and test results indefinitely but provide parents with the ability to opt out of the program. One lawyer involved in the case that struck down the bio bank in front of the state Supreme Court says the plan should be opt-in, but proponents of the bill say that would hamper research and that the time limit on retention could restrain the ability for diagnoses in some cases. [KEYC-TV]

US – New Jersey Supreme Court Rules Wiretaps Can Cross State Lines

The New Jersey Supreme Court has unanimously ruled that police wiretap warrants apply to phones in other states. Chief Justice Stuart Rabner wrote, “Because of the inherent mobility of cellphones, it would be impractical, if not impossible in some instances, for law enforcement to intercept cellphone conversations if agents could only rely on orders issued in the state where a call was placed or received.” The defense lawyer in the case says the ruling is an affront to privacy rights. []

US – Yahoo Wants Judge to Drop E-mail Suit

Yahoo has asked a federal judge to dismiss a potential class-action lawsuit that claims the company violated the Electronic Communications Privacy Act (ECPA) when scanning the e-mails of users to serve them related advertisements. In papers filed last week, the company argued it does not violate ECPA because users explicitly consent to Yahoo’s practices by accepting its terms of service. Non-Yahoo users have argued that they have never accepted such terms, but Yahoo has countered that ECPA only requires consent from one party in a conversation, adding it does not violate California’s applicable privacy law because applying that law to such cases “would potentially turn ordinary and widespread computer use into criminal activity.” [MediaPost News]

US – Data Security Remains in Congressional Spotlight

Two Congressional hearings this week aimed at unveiling data security issues and the potential for legislation. The Financial Services subcommittee on Financial Institutions and Consumer Credit will hold a hearing to look into the nature of data breaches, what preventative measures are possible and whether technology can play a role in preventing breaches. The Congressional panel said the American public ought to know what protocols should “be in place when private- or public-sector entities mishandle, improperly disclose or otherwise fail to ensure the security of personal financial information.” Additionally, the House Science Committee will hold its own cybersecurity hearing. Meanwhile, a man in Oregon has claimed to have received thousands of faxes allegedly meant for United Healthcare that contain sensitive personal information. [The Hill]

US – Judge: Insurer Doesn’t Need to Defend Accused

A federal judge has said National Union Fire Insurance Company of Pittsburgh, PA, does not have to defend Coinstar and its Redbox, Inc. unit in a class-action that accuses them of “illegally keeping customers’ rental histories and then using the information for marketing purposes.” U.S. District Judge John Coughenour granted the insurer’s motion for partial summary judgment, the report states. Meanwhile, U.S. District Court Lucy Koh has said attorneys representing consumers in a class-action against Google face a “huge hurdle” in obtaining class-action status. [Full Story]

US – “Revenge Porn” Victim Awarded $500K in Civil Case

A jury in Texas has awarded a woman $500,000 in a “revenge porn” case. An ex-boyfriend blackmailed her and eventually published the material on the Internet. Though there is no specific law against it in Texas, two state lawmakers are working on legislation that would make revenge porn illegal. Critics, however, warn such a law could violate the First Amendment. One legal analyst said, “If you allow the state or federal government to restrict your speech in one instance, it could expand and get more restrictive over other matters and nobody wants that.” New Jersey and California have both outlawed revenge porn and other states are considering a similar move. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Start-ups Betting on Privacy as Selling Point

A growing number of start-ups are “betting consumers will pay at least something to keep their data away from prying eyes.” “The next generation of start-ups, those in the next 10 years that will survive, will be the ones that put security first,” said Wickr CEO Nico Sell, adding, “the benefits of the Internet have been proven and privacy is in demand, and people are willing to pay.” Surveillance and online privacy are also big topics of conversation at SXSW this year , the report states, with speakers such as Julian Assange of WikiLeaks fame and NSA whistleblower Edward Snowden. [NBC News] [Edward Snowden speaks at SXSW, calls for public oversight of U.S. spy programs]

US – Startup Hits $6.3 Million in First-Round Funding

OwnCloud, a young company founded in response to concerns over secure data storage and sharing, has now raised $6.3 million in Series A funding. The company got its beginnings in 2010 when co-founder and CTO Frank Karlitschek concluded new cloud computing services were a threat to data security and privacy and so wrote an open-source code and put a community of developers on the case. The company differentiates itself from competitors by giving corporate IT departments control over where the data is stored, the report states. [The Wall Street Journal] See also: [Future Robots to Keep Your Secrets] and [Price, power, privacy: why trust issues should influence your tech purchases]

US – Startup Allows for Collecting Big Data Without Little Data

Researchers at Max Planck Institute for Software Systems have proposed a novel way to collect Big Data. Their startup, Aircloak, aims to allow for the collection of Big Data without also collecting “little data” about consumers’ lives. Aircloak currently has “no direct rivals,” its cofounder Sebastian Probst Eide said, because most of the leaders in that industry still treat privacy as a “necessary chore” rather than as fundamental to the product’s design. The product uses “cryptographic proof” to indicate to users that it’s completely transparent. “If we were to introduce a backdoor, or if the NSA came along and forced us to do that, it would be visible. People will be able to see it in the code,” Eide said. [Forbes]

WW – FreedomPop Releases $189 Private Phone; Cryptocat Goes Mobile

Not long after the announcement of Silent Circle’s Blackphone, there is already a lower-priced competitor. FreedomPop has launched a $189, contract-free Privacy Phone, which is essentially a Samsung Galaxy S II, but with software that includes encryption for all Internet-based calls and messages, with data traveling through a VPN. The Blackphone will retail at $629 in the United States. Meanwhile, Cryptocat, a web application for privacy chatting, is now available as a free app in the Apple App Store. Cryptocata uses Off-the-Record Message, a “cryptographic protocol for secure Internet messaging,” with servers stored in a “Swedish nuclear bunker,” reports Reason. [Engadget]

US – Wickr Raises $9m for Private Messaging App

Wickr, a private messaging app that allows for encrypted mobile messaging with no data stored by the service, has raised $9 million in Series A funding. The round was led by Alsop Louie, with investments by Juniper Networks and the Knight Foundation. Alsop Louie partner Gilman Louie is joining the company’s board, and individual investors include former presidential advisor Richard Clarke, Lookout CEO John Hering and Human Rights Foundation president Thor Halvorssen, the report states. Currently, Wickr delivers roughly one million messages per month in more than 190 countries, but the report says usage has been doubling “every two months.” [Silicon Valley Business Journal]

WW – Yang Invents New Privacy-Centric Coding Language, Jeeves

MIT PhD student Jean Yang has invented a privacy-centric coding language called Jeeves that allows coders to “readily create privacy settings for an entire application, a master list that could then flow to each new application feature.” With Jeeves, Yang said, “private data such as photos would be attached to policies until the moment they are released. This guarantees that unauthorized viewers may not view a photo no matter what series of actions they took to arrive at a photo.” [Wired]


US – Target Invests $100m+ in Data Security

Following the data breach that cost the company as much as $440 million in profit, Target has announced it is “accelerating the adoption of advanced chip-enabled technology, investing more than $100 million to equip its stores and to issue Target branded smart chip credit and debit cards.” Further, the company is investing $5 million in a new coalition with the Better Business Bureau, National Cyber Security Alliance and National Cyber Forensics Training Alliance to educate the public about cybersecurity and the dangers of consumer scams. [Retail Info Systems News] See also: [Data Risk, Privacy Breach And Insurance Coverage In Canada]

WW – Samsung Devices May Have Backdoor to User Data, Developer Says

Samsung’s Galaxy devices might have a built-in security flaw that could allow for “remote access to data,” a developer claims. The folks behind Replicant, a free and open-source OS that aims to replace proprietary Android components with free alternatives, claim to have discovered a flaw in certain Samsung devices that allows for access “to read, write, and delete files on the phone’s storage.” In addition, the developers said that the flaw has “sufficient rights to access and modify the user’s personal data.” In a blog post detailing the issue, Replicant developer Paul Kocialkowski said the trouble resides in the use of two processors in mobile devices. The applications processor runs the main operating system, while another, baseband processor, is used to handle communications to and from the device. The issue with the baseband processor in Samsung’s devices, Replicant argued, is that it’s using a proprietary Samsung software to handle all the communication — and that software allows for a backdoor to user data. [Source] See also: [US: Smart Device Makers Put on Notice for Poor Security]

Smart Cars

WW – Volkswagen Chairman Calls for Protections on Car Data

Volkswagen Group Chairman Martin Winterkorn says strict protections are needed to prevent government intrusion into the vast amounts of data that will be collected by cars in the future. “The car must not become a data monster,” said Winterkorn from a trade show in Germany. “I clearly say yes to Big Data, yes to greater security and convenience, but no to paternalism and Big Brother.” He called for international efforts to ensure data protection and also called for a voluntary commitment from the car industry to protect such data. [Re/code]


US – NSA Plans Revealed for Infecting “Millions” of Computers

The latest revelation from the Snowden files, reported by Glenn Greenwald and Ryan Gallagher, is that “the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.” The report details what it calls “groundbreaking” surveillance technology, at times masquerading as a Facebook server, other times implanted in spam e-mails. The practice dates back to 2009, but in response to questions, the NSA said in a statement that, going forward, signals intelligence will only be utilized to support national and departmental missions for foreign intellitence or counterintelligence. [Intercept] See also: [The NSA Has An Advice Columnist. Seriously] and [Rogers Declines to Call Snowden a Traitor]

US – NSA Says Spying Concerns Trumping Cybersecurity Fixes

U.S. NSA Director General Keith B. Alexander has said the unauthorized disclosures by Edward Snowden—who will speak via videoconference at SXSW—have stymied efforts by the government to prevent cyber-attacks on major U.S. infrastructure. In one of his last public speeches before departing the agency, Alexander predicted that Congress would change laws around the bulk collection of telephone records before passing cybersecurity legislation that could help the government work with private companies in sharing threat data. Alexander has asked for laws that would clear the way for companies to share data with the government about incoming threats—something, he said, that is often prevented by current privacy law, the report states. In a separate but related story, the federal government has filed a lawsuit against Sprint, accusing the company of overcharging federal agencies for wiretapping services, an act, they argue, that violates the Communications Assistance in Law Enforcement Act of 1994. [The New York Times] Meanwhile, a judge has blocked plans by the NSA to begin destroying phone records it collected for surveillance. The Foreign Intelligence Surveillance Court had ruled last week that the NSA could destroy the records.

UK – Optic Nerve: Millions of Yahoo Webcam Images Intercepted by GCHQ

Britain’s surveillance agency GCHQ, with aid from the U.S. NSA, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal. GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not. In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally. Yahoo reacted furiously to the webcam interception when approached by The Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy”. [Source]

WW – Egan: “If People Are Surprised, That’s Not Good”

Facebook Founder and CEO Mark Zuckerberg made public his confusion and frustration over “repeated reports” of government spying. In calling on the U.S. government to “be the champion for the Internet, not a threat,” Zuckerberg said, “They need to be much more transparent about what they’re doing, or otherwise, people will believe the worst.” Transparency for a company like Facebook, one predicated on users sharing personal information with one another, is a huge part of maintaining such trust. This same notion was explained in more detail by Facebook CPO, Policy, Erin Egan [The Privacy Advisor] See also: [5 apps for spying on your spouse] See also: [‘Upskirt’ photos not illegal, U.S. court rules] [Police video released of Justin Bieber urinating]

Telecom / TV

CA – Bell Canada Case: A Challenge to Interest-Based Advertising

Should telecommunications providers be able to use their subscribers’ behavioral information to sell advertising? And are rules stricter than PIPEDA needed for telecoms? A complaint over Bell Canada’s practices brought before the CRTC may end up determining the answers to these questions. Timothy Banks of Dentons Canada LLP writes that if the CRTC agrees with the Public Interest Advocacy Centre and the Consumers’ Association of Canada that “more detailed privacy rules are needed for telecommunications carriers … this could represent one of the most important developments in the evolution of privacy law in Canada since the enactment of PIPEDA.” [Privacy Tracker]

WW – Lookout Releases Free, Open-Source Short-Form Privacy Policy Tool

You know the privacy policy story by now: While ostensibly intended to inform users of what a company will do with their personal data, the egregiously long, riddled-in-legalese documents have evolved into a formality rather than a meaningful contract for users themselves. That’s why Lookout has just released an open-source tool that aims to revolutionize that. “Private Parts” allows app developers to customize short-form privacy policies for their brands or products in five steps, or under an hour. Angelique Carson has the story [The Privacy Advisor]

WW – Apps Alliance, Intuit Release Open Source Mobile Privacy Notice Code

The application developer Alliance, and its member Intuit, maker of Quicken and Quickbooks, announced that Intuit will provide developers with open-source software code to implement at-a-glance mobile app privacy notices. The code will allow app developers to comply with the Mobile App Privacy Voluntary Code of Conduct developed through last year’s U.S. government-hosted multi-stakeholder talks on mobile app privacy. The code, according to a press release, enables developers to incorporate “privacy screens” or simple notifications of what data the app is collecting and with whom it is shared. [Full Story] See also: [C.I.A. Employees Face New Inquiry Amid Clashes on Detention Program]

US Government Programs

US – Snowden Gives Tech Industry Call to Arms

This year’s South by Southwest (SXSW) conference featured a rare teleconference interview with Edward Snowden. Speaking to a crowd of developers and entrepreneurs, Snowden said the NSA is “setting fire to the future of the Internet,” adding, “You guys are all the firefighters. We need you to help us fix this.” He called on privacy activists, cryptographers and developers to build better tools to help protect the privacy of users of technology, reports, which will, he said, “allow us to reclaim the open and trusted Internet.” [The New York Times]

US Legislation

US – FTC Seeks Comment on Proposed COPPA Safe Harbor

The FTC has announced it is seeking public comment on a proposed safe harbor program that’s been submitted for FTC approval under the Children’s Online Privacy Protection Act (COPPA) Rule. Industry groups and others can ask the commission to approve self-regulatory guidelines under the COPPA rule, and companies that comply receive safe harbor from enforcement. A Federal Register notice will be published shortly asking for public comment on the proposed iKeepSafe program, specifically regarding whether the mechanisms used to assess operators’ compliance are effective, whether incentives for compliance are effective and whether it “provides adequate means for resolving consumer complaints.” The comment period ends April 21. [Full Story]

US – Data Breach Reporting, a Struggle for U.S. Lawmakers and Businesses

In the absence of a federal law, businesses are forced to comply with widely varying and ever-changing state data breach notification laws, but there are hurdles in the path to compromise for lawmakers as well. There are five federal bills looking at these issues right now; Covington and Burling published a comparison article on them a couple of weeks ago, and the Associated Press now reports on lawmakers’ lack of consensus on the issue, highlighting some of the key sticking points. FCW reports that a recent hearing of the Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee saw law enforcement officials pushing for federal reporting standards, noting they could aid investigators and consumers, and Attorney General Eric Holder called for a national consumer notification law in February. [No Consensus On Notifying Victims Of Data Breaches]

US – U.S. Bill Would Grant Farmers More Privacy

A bipartisan group of senators has proposed a bill that would prohibit the Environmental Protection Agency (EPA) from sharing the personal information of livestock and poultry producers. Agri-Pulsereports that HR 4157 comes a year after the EPA, in complying with a Freedom of Information request, released producers’ personal information to three environmental groups. The information included names, addresses and in some cases phone numbers and e-mail addresses of over 80,000 producers, and the EPA says it has no power to prevent this from happening again.

US – Company Sues Utah for Right to Surveil

Digital Recognition Network, Inc. (DRN) and Vigilant Solutions are suing the state of Utah for banning them from using automated cameras to collect images, locations and times of license plates, claiming that it violates their First Amendment rights. DRN Counsel Michael Carvin says, “Everyone has a First Amendment right to take these photographs and disseminate this information,” arguing that a license plate is inherently public information. ACLU Attorney Catherine Crump says this is “a complicated area where we are going to need to carefully balance First-Amendment rights of corporations versus individuals’ privacy rights,” noting that First Amendment rights aren’t unlimited; “There are circumstances under which the government is free to regulate speech.” [The Oregonian]

US – ECPA Reform Gains Steam in House

Reform to the Electronic Communications Privacy Act (ECPA) is gaining steam in the House of Representatives. Privacy advocates have been frustrated of late, the report states, because reform has been stalled in the Senate. Reps. Kevin Yoder (R-KS), Tom Graves (R-GA) and Jared Polis (D-CO) have introduced the E-mail Privacy Act, and thus far, have 181 cosponsors. A spokesman for Yoder said they’re “pushing to get more.” Mark Stanley of the Center for Democracy and Technology said, “There’s a lot of growing support for that bill … A lot of members of Congress see this as a common sense thing.” [The Hill]

US – Florida Senate Committee Passes Bill to Standardize Gov’t Data Handling

The Florida Senate Committee on Governmental Oversight and Accountability has unanimously approved a bill sponsored by Sen. Jeff Brandes (R-St. Petersburg) that would create a uniform protocol for handling personal identification information within government agencies and contracted websites. SB 782, Government Data Practices, sets out specific required disclosures for contractors, requires agencies to set up appropriate timelines for retention and disposal of data and requires OPPAGA to create a data inventory report to inform lawmakers of what’s being collected and held. [WCTV]

US – Feinstein Calls for Federal Drone Legislation

For the second straight week, 60 Minutes featured a story related to privacy. Sen. Dianne Feinstein (D-CA) said the privacy concerns brought on by the emerging technology are “major,”Politico reports. “When is a drone picture a benefit to society?” she asked. “When does it become stalking? When does it invade privacy?” Feinstein said she spotted a drone looking into her window during demonstrations outside her home; demonstrators have said it was a toy helicopter. “It’s going to have to come through regulation,” she said, “perhaps regulation of size and type for private use. Some certification of the person that’s going to operate it … some specific regulation on the kinds of uses it can be put to.” She also questioned appropriate use for law enforcement, asking, “What’s the appropriate governmental use for a drone?”[Full Story] See also: [US: Feinstein says CIA spied on Senate computers] and [Now Facebook Has a Drone Plan]

US – In Lieu of Federal Drone Laws, States Legislate on Their Own

While there are increasing incentives for both private and public use of drones in myriad applications, privacy advocates are urging states to legislate such use before privacy violations are as numerous. This year, 35 states will consider legislation, some of which include ways to “attract an industry that could generate billions and restrictions on drone use and data collection,” the report states. States are left to legislate on their own in lieu of federal legislation on the matter. [Associated Press]

US – Drones: Aren’t the Laws Already on the Books?

“The grandfathers of privacy wouldn’t argue for new, drone-specific privacy rules,” writes Jeff Kosseff. Rather, the common-law privacy torts they articulated more than a century ago would apply equally to drones as they do to older information-gathering technologies. In part one of a three-part series on drones, Kosseff looks at existing U.S. laws to be considered when it comes to the use of drones for gathering information. Look for part two, on private-sector drone use. [Full Story]

US – Hawaii’s Anti-Drone Bill Put Out to Pasture

SB 2680 would’ve made it illegal for private entities to use drones in the state, but after hearing evidence from ranchers, researchers and cinematographers, Transportation Chairman Ryan Yamane decided not to schedule it for a hearing. “Everybody is using it for different reasons, and so it is key that before we move any legislation forward, that we don’t negatively impact all the value that it’s going through now,” Yamane said. [KITV4]

US – Kansas Senate Committee Passes Drone Privacy Bill

The Kansas Senate Committee has passed SB 409, which would limit the use of drones with recording devices, reports KSN. Sen. Dan Kerschen (R-District 26), the vice chair of the Natural Resources Committee, says this bill is different because it focuses on protecting “private property rights with the use of these aircraft on who owns the property.” The committee helped to define some areas of the bill relating to property rights and search warrants, according to Kerschen. The bill now goes to the full house for discussion.

US – New Hampshire House Votes to Regulate Drone Use

The New Hampshire House, in a voice vote, approved measures to limit drone use in order to protect privacy,. The legislation would require police to get a warrant prior to using data obtained with drones and also limits commercial and institutional use of drones. [the Associated Press]

US – Utah Senate Approves Drone Privacy Bill

The Utah Senate has unanimously approved a bill that puts limits on police use of drones. The bill would require law enforcement to get a warrant before using drones and puts limits on what kinds of data drones can collect and over what period of time. The bill now heads to the House. [Associated Press]

US – Wisconsin Drone Privacy Bill Heads to Governor

The Wisconsin Assembly unanimously passed a bill that would make it illegal to use a drone capable of capturing audio or video recordings in places where individuals have a reasonable right to privacy. The bill also requires that police obtain a warrant before using drones to collect evidence, unless in an emergency situation, and makes it illegal to own, sell or possess a weaponized drone, the report states. The bill now heads to Gov. Scott Walker for signature. [The Republic]

US – Kansas Committee Passes Bill to Share Youth Death Information with Researchers

The Senate Judiciary Committee has approved a bill that would allow the State Child Death Review Board to share information with researchers. Nancy Strouse, executive director of the Kansas Judicial Council, says passing the bill would allow Universities in the state and others to conduct studies, making the state board more effective. “Research can lead to preventions and other strategies that save kids’ lives,” Strouse said. A similar bill died last year, but this one has been amended to require public documentation of those who use the information and why. [The Wichita Eagle]

US – Kentucky One Step Closer to Data Breach Bill

The Courier-General reports that the Kentucky Senate State and Local Government Committee unanimously passed a data breach bill that would require most state and local government agencies to notify citizens of electronic breaches of personal information. HB 5 also requires “public agencies and nonaffiliated third parties to implement, maintain and update security procedures and practices, including taking any appropriate corrective action to safeguard against security breaches,” among other provisions.

US – College Hoops Meets U.S. Privacy Legislation

Rep. Jared Polis (D-CO) is pushing Congress to pass the E-mail Privacy Act and, in doing so, appealing to the all-important March Madness bracket. “Ever think Eric Holder’s March Madness bracket looked a lot like yours? Stop the madness, cosponsor the E-mail Privacy Act!” Polis wrote in his tongue-in-cheek letter to Congress. Polis introduced the legislation last year with Reps. Kevin Yoder (R-KS) and Tom Graves (R-GA). The bill would require police to get a warrant before accessing individuals’ e-mails. The bill has more than 180 cosponsors in the House, and Sen. Patrick Leahy (D-VT) has introduced a companion measure in the upper chamber, which has the backing of some major tech firms. [The Hill]

US – Indiana Anti-Surveillance Bill on Its Way to the Gov

The Indiana Senate and House have both passed a bill that would require police to obtain search warrants before using drones, using cellphones to track individuals or demanding passwords for electronic devices among other restrictions. HB 1009 now heads to the Governor for final approval. [the Indianapolis Business Journal]

US – Maryland Del. Proposes Bill Targeting Tracking in Brick-and-Mortar Retail

Del. Sam Arora (D-Montgomery) has introduced legislation in the Maryland General Assembly that would require brick-and-mortar retailers to provide notice if they are tracking shoppers using their cellphones. HB 924 does not propose to end the practice but to notify consumers of it. Some retail organizations are against the measure; however, and the Future of Privacy Forum has built an opt-out list similar to that of the do-not-call list, but no retailers have pledged to abide by it. [The Washington Post]

US – Maryland Sen. Proposes Cell, License-Plate Privacy Bills

Sen. Christopher Shank (R-Washington) presented to the Senate Judicial Proceedings Committee two bills: one that would limit government access to cellphone location data and one to limit license-plate tracking by police. Shank developed the bills with Sen. Jamie Raskin (D-Montgomery), who submitted a drone privacy bill in January. The cellphone privacy bill would require police to get a search warrant before obtaining GPS data from cellphone companies and would require cellphone owners to be notified of the search within seven days of its completion. The license-plate privacy bill would limit police use of license-plate tracking cameras and would require police to destroy the data after 30 days. [The Associated Press]

US – Maryland Del. Proposes Smart-Meter Privacy Bills

Maryland Del. Glen Glass (R-Harford/Cecil County) has proposed two bills to protect consumer data collected by smart meters. HB 331 would prevent utilities from selling smart-meter data to third parties, and HB 332 would allow consumers to decline the installation of smart meters without having to pay excessive fees. Concerns have also been voiced about law enforcement’s use of this data.

US – Maryland Committees Hear Testimony on Cellphone Privacy Bill

The Maryland House Judiciary Committee and Senate Judicial Proceedings Committee heard testimony both for and against a package of bills that would limit law enforcement’s ability to monitor citizens. The bills would require police to obtain a warrant prior to monitoring citizens through cellphones, limit their use of drones and the length of time license-plate scanning records are kept. Members of the American Civil Liberties Union spoke in favor of the package, voicing concerns that laws have not kept up with technology, and law enforcement officials questioned the need for the laws, adding concerns that they may hamper investigations. [The Capital Gazette]

US – Minnesota Committee Advances Anti-Surveillance Bills

The Minnesota House Public Safety Committee advanced two bills that would require police to get a warrant before collecting data from cellphones and other electronic location devices in most cases, and notify cellphone owners within a few months that their information was accessed, reports the Associated Press.

US – Oregon Cell and License-Plate Privacy Bills Fail

Four privacy bills have been recently proposed. Two bills creating exemptions under Oregon public records laws passed, while two others—involving law enforcement’s use of cellphone and license-plate data—failed. Sen. Larry George (R-Sherwood) has vowed to put together an informal workgroup to create a ballot initiative on privacy protections in 2016. George authored cellphone privacy bill SB 1583, which died in a Senate committee, as did license-plate privacy bill SB 1522. [The Oregonian]

US – Ohio House Considers Social Media Privacy Bill

The Ohio House is considering HB 424, which would protect students, employees and job applicants from having to disclose login information to personal social media accounts. Rep. Heather Bischoff (D-Blacklick), the primary sponsor of the bipartisan legislation, said in testimony that the bill is aimed at establishing what is within employers’ and institutions’ rights to research and “what is considered private with regard to social media.” [The Daily Jeffersonian]

US – Colorado Committee Passes Education Data Transparency Bill

The Colorado House Education Committee unanimously passed a bill that would put restrictions on the sharing of education data. While HB 14-1294 doesn’t go as far as some privacy activists would like, it does require the Colorado Department of Education (CDE) to create criteria for the destruction of data and to publicly disclose the names of organizations with which it shares data; limit that sharing, and ban those organizations for using the data for commercial purposes. The bill also formalizes the process of considering outside data requests and requires CDE to create a “data security template” and publish a data inventory. [Chalkbeat]

US – Bill in Delaware Would See Businesses Shelling Out for Outside Breaches

Sen. Dave Sokola (D-Newark) has introduced a SB 102, which would see entities that experience outside data breaches paying a $1,000 fine for each individual whose personal information was compromised if no actual damages can be proven. Business groups are concerned with the measure and are working with Sokola to find middle ground. Sokola acknowledged that if businesses have a “standard of diligence that they’re in compliance with,” that should be recognized, but he added that consumers can’t be left out in the cold in a breach. Sokola has also sponsoredSB 101, which would increase to seven years the statute of limitations in which victims can bring a civil action for damages relating to a data breach. [WDDE]

US – Delaware House Sees Child Online Protection Act

Delaware Attorney General Beau Biden and Rep. Darryl Scott (D-Dover) have introduced legislation to the state’s House of Reprensetatives that would require web operators to allow individuals to remove content they posted as a minor. HB 261, the Child Online Protection Act, would also prohibit sites and apps targeted at children from advertising products and services that minors cannot legally use. The bill was modeled after California’s “eraser law.” [Law360] See also: [Maintaining kids’ digital privacy is tough but possible]

US – California Sen. Proposes Student Privacy Bill

California Sen. Darrell Steinberg (D-Sacramento) introduced a bill that would help safeguard personal information of public school students, reports Los Angeles Times. While government-funded schools are prohibited from sharing student data, private companies now have access to it through web-based educational tools. Steinberg’s bill aims to close this loophole in California by barring contractors from sharing student data.

US – South Dakota House Passes Student Privacy Bill

Following unanimous support from South Dakota’s Senate, SB 63 has now unanimously passed the House as well. In its fourth iteration, the bill charges the state Department of Education with creating security measures for student data, prohibits the sharing of student data with the federal government and prohibits school officials from asking about a student’s religious beliefs, gun ownership and seven other things. [Rapid City Journal]

Workplace Privacy

US – Employees Can Be Law Firms’ Prime Data Security Threat

Though recent reports claim government intelligence agencies spied on a major law firm and one of its clients, there is a more common threat to firms’ data security,, and that’s its employees. Fox Rothschild Partner Scott L. Vernick said firms must prioritize data security, just like any other business. “To a certain extent, we’ve always been highly mindful of the confidential nature of client data, but I don’t know that that’s translated completely to the thinking that we are just like any other business and so we have to think about data security like any other business,” he said. One key aspect to maintaining data security, he added, is appropriate vendor management. [Mondaq] See also [Maine Governor Resists Online Work Injury Database] and also: [Allowing Ontario’s Privacy Tort To Develop In The Health Information Sphere — For Now]

NZ – New Zealand: Tribunal Decision Significant for Employers

A review of the recent Human Rights Review Tribunal decision in Waters v Alpine Energy Limited, suggests it “contains significant developments for employers over their obligations to withhold and disclose private information.” The decision has made it possible for an unsuccessful job applicant to review such information as other applicants’ CVs. “The decision creates an interesting precedent for the treatment of confidential and personal information. The way through this issue is complex, and it would seem that the available options may differ depending on whether the applicant was successful—and therefore is an employee—or unsuccessful,” Wynn Williams Lawyers’ Matthew Prendergast writes. [Mondaq]


15-28 February 2014


JP – Japan and U.S. to Share Fingerprint Data

Japan’s Cabinet has approved a bill designed to implement the recently signed Agreement on Preventing and Combating Serious Crime with the U.S. If passed, the bill will speed up the sharing fingerprint data on suspected terrorists and people engaged in serious crimes, which now must be routed through Interpol. Under the agreement, each country will be able to send a suspected criminal’s fingerprints to the other to see if there are matches in its database. [Kyodo News International] See also: [The next privacy breach may also steal your fingerprints]

US – NTIA’s Facial Recognition Talks Trigger Debate

This week, in the second in a series of meetings to develop a voluntary code of conduct around the application of facial recognition technology, the scope of the code was debated. Led by the National Telecommunications and Internet Administration’s (NTIA) John Verdi, the talks centered on whether or not there should be a dual use structure for facial recognition’s commercial and government use; specifics on how the technology actually works and links with databases, and how much more time should be spent fact finding on facial recognition. [The Privacy Advisor]

Big Data

US – White House, MIT Co-Host Privacy Workshop

The White House Office of Science and Technology Policy and MIT co-hosted “Big Data and Privacy: Advancing the State of the Art in Technology and Practice” on March 3. The daylong event included keynotes from White House Counselor John Podesta and Secretary of Commerce Penny Pritzker, along with panels and roundtable discussions. The White House remains committed to an open, reliable Internet but understands it requires the application of “timeless privacy values to this technology” as has been applied to each generational shift in modes of communication, from the telephone to e-mail. That was part of the message from White House Counselor John Podesta in his keynote address at MIT’s event today, “Big Data Privacy: Advancing the State of Art in Technology and Practice.” This feature highlights Podesta’s comments for today’s event, ongoing until 5 p.m. this evening and being livestreamed here. [Privacy Advisor] [EU: Telecom firms sees gold in big data despite privacy concerns] See also: [Data privacy, machine learning and the destruction of mysterious humanity]

US – Civil Rights Groups Challenge Data Collection

More than a dozen advocacy groups have written a letter to the White House asking it to craft legislation that would put teeth into the Consumer Privacy Bill of Rights. The groups are backing a set of principles aimed at pushing back against data collection they argue is used to discriminate against minorities in law enforcement, hiring and commerce. Groups are backing principles to end “high-tech profiling,” introduce protections in automated decision-making systems, put pressure on the private sector to be more transparent about data and “protect people from inaccurate data,” the report states. “Big Data has supercharged the potential for discrimination by corporations and the government in ways that victims don’t even see,” said Leadership Conference on Civil and Human Rights’ Wade Henderson. [The Washington Post] [Full Story] [letter to the White House]

WW – Proposal: Use Oil Spill Remedies on Data Breach Problem

After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem? At the Maine Law Review 2014 Privacy Symposium last week, Capital University Law Prof. Dennis Hirsch suggested we look to environmental law to find an answer. While Hirsch admits his paper’s recommendations are “intended (to be) provocative suggestions (rather) than full-fledged proposals … to spark creative thinking about solutions,” [The Privacy Advisor]


CA – Court Grants Plaintiffs Anonymity in Medical Marihuana Case

The Federal Court of Canada has agreed that denying plaintiffs anonymity in a court proceeding “would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada’s mailing that identified them” as taking part in the Medical Marihuana Access Program. Health Canada had argued public opinion on marihuana use is now “more accepting,” the report states, but the court rejected that argument, stating, “Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor and that they suffer from serious health conditions and symptoms.” [Canada NewsWire]

CA – Why Are Police Not Subject to FOIP?

Why are police not subject to Saskatchewan’s information access and privacy laws? “Police chiefs in both Regina and Saskatoon have expressed concern that the Freedom of Information and Privacy (FOIP) Act would put police work and sensitive information at risk,” a report states, noting the province’s former privacy commissioner, Gary Dickson, disagrees. “Being subject to FOIP doesn’t mean that a public body loses all control and all of the records can go out the door,” he said. [The Regina Leader-Post] [SK: Privacy, police and politicians: Sask. gov’t responds to call for police to become subject to information laws] See also: [Ontario Provincial Police weighing mischief charge in deleted Liberal emails probe]

CA – Experts Examine Next Step for Alberta’s PIPA   

James Bond, Robert W. Pakrul and Eileen Vanderburgh look back at the November decision by the Supreme Court that Alberta’s Personal Information Protection Act (PIPA) is unconstitutional and consider what will come next. “Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA’s structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent,” they write. Alberta Information and Privacy Commissioner Jill Clayton’s recommendation is “that the most appropriate scope of change is the narrowest one,” they write, citing her desire to “would preserve the delicate balance between freedom of expression rights, and legitimate privacy expectations of individuals, which PIPA is designed to protect.” [Mondaq]

CA – Court Generates List of Factors for Metadata Cases

A recent Nova Scotia Court of Appeal case on “questions of relevance, proportionality and privacy in the context of whether or not to order the production of electronic information.” Laushway v. Messervey resulted in a court order requiring a plaintiff to produce a hard drive containing metadata for forensic review, and the court has created “a list of factors for judges to consider when deciding whether to grant a production order in similar circumstances,” the report states. Among the factors the court recommends in its list are privacy, balancing, objectivity, discoverability and reliability. [Mondaq]


US – Cline: U.S. Leads World in Privacy Violation Fines

Jay Cline writes on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.” [Computerworld ]

US – AGs Want State Breach Laws Kept on Books

Given that there is no federal law regulating data breaches, most states have created their own rules on data breach disclosures. And state attorneys general (AGs) are interested in keeping it that way.. While a federal baseline law would be welcome, state AGs want to keep their laws in place. “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” [Politico ] See also: [Maryland: Bill would require drivers in serious accidents to give police cell phone information]

US – Survey: Users More Hesitant to Click on Ads, Use Unknown Apps

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74% indicating they are more concerned about privacy than they were a year ago. While 70% said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize. [Full Story]


CA – Citizenship and Immigration May Share More Data

A memorandum prepared for Citizenship and Immigration Minister Chris Alexander indicatesthat “the government is building an information technology system that could be used for the systematic exchange of biometric data with Britain, Australia and New Zealand” in addition to the perimeter security pact with the U.S. “Systematic sharing is preferable to manual case-by-case sharing because it can generate faster responses and be done at higher volumes,” according to the memo. The Office of the Privacy Commissioner has voiced concern “about high-volume, routine information sharing with other countries, saying it may be impossible to control what happens to that data once sent abroad,” the report states. [The Canadian Press]


WW – Dutch Telecom and Silent Circle to Encrypt Phone Calls

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy. [PC World] See also: [New TextSecure delivers smoother encryption]

WW – Cryptographers at RSA: “Users Seem to Now Mind Giving Up Privacy”

If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact of the “Summer of Snowden” reverberates, it’s through the corridors at the Moscone Center in San Francisco, CA. During the Tuesday morning keynote, panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ron Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry.[Angelique Carson]

EU Developments

EU – German Court: Facebook Must Comply with Data Protection Law

The Higher Court of Berlin has ruled Facebook must comply with German data protection law. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.” [PC World] See also: [Angela Merkel: Let US spies keep their internet. The EU will build its own]

EU – Dutch Law Enforcement Calls for Improvements

Dutch law enforcement officials want improvements in how communications data is collected and stored, citing a justice ministry evaluation of The Netherlands’ data retention law. “Law enforcement officials that participated in the evaluation called for an expansion of the retention period for the data to a full 12 months, as well as an end to distinctions between telephony and Internet data,” the report states, noting, “For mobile calls, they also want not only the time when the call started recorded but also the time it ended.” [Telecompaper]

EU – Swedish Telecom Privacy Rules Go Into Effect in September

PTS, Sweden’s postal and telecoms regulator, is establishing requirements for telecoms operators to protect their customers’ personal information and communications. “Among other things, the new regulations deal with the question of who is allowed to access and handle customer information. PTS said only people with the correct training and who need the information in order to carry out their work will be able to access sensitive details about customers and their communications,” the report states. The regulations are scheduled to go into effect on 1 September. [Telecompaper]

EU – Will Facebook-WhatsApp Deal Be Probed by EU DPAs?

The Facebook-WhatsApp deal may trigger any privacy investigations from data protection authorities (DPAs) across the EU. Article 29 Working Party Chairman Jacob Kohnstamm said the acquisition may get the interest of DPAs. He said that DPAs “could, having heard about the merger, decide to do research into the product as well” and subsequently all “28 data protection regulators could open an investigation.” The main concern, he said, is the collection of data from users’ mobile address books when they download the application. Meanwhile, Finland-based Nokia is facing criticism after it was revealed that its Lumia line of Windows Phones transmitted personal data—including that of some senior members of Finland’s government—to Microsoft servers in the U.S. [Bloomberg Businessweek]

UK – Commissioner Graham Tenure Extended Two Years

UK Information Commissioner Christopher Graham will remain in his current position for at least the next two years after the Queen officially approved his reappointment. The UK Ministry of Justice said the official start date of his reappointment begins on June 29. Graham said he is “delighted” to remain in office. “I don’t underestimate the challenge of leading the ICO at this time,” Graham said. “But unlike any other public body that I know, it falls to the ICO to champion both the right to privacy and the right to know for citizens and consumers—here in the UK, in Europe and internationally … It’s a big responsibility and the next phase certainly won’t be dull.” []

EU – The CNIL Is Making Its Mark

With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation. [Privacy Tracker] [Google acquires password sounds startup SlickLogin]

WW – On Leveraging Big Data While Complying with Law

The Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.” [Privacy Perspectives]

Facts & Stats

US – AT&T Reveals Gov’t Requests for Data

AT&T has revealed it received 302,000 data requests in 2013 related to criminal and civil cases. The requests from local, state and federal authorities include more than 248,000 subpoenas, 37,000 court orders and 16,000 search warrants, the report states. AT&T was also asked nearly 38,000 times “to share real-time and historical locations of its customers” and another 94,000 times to share location data in an “emergency” situation. The AT&T report is similar to that of Verizon, which last month also released its report on government requests for data. [CNET News]

US – OWASP Looking for Volunteers for Privacy Top 10 Project

In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help. Full Story

WW – On Breach Response, 50 Percent of Execs Are in the Dark

One half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states. [The Economist Intelligence Unit’s Information Risk]

US – Cline: U.S. Leads World in Privacy Violation Fines

Jay Cline writes on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.” [Computerworld]


UK – Court: Facebook Must Comply with Data Protection Law

The Higher Court of Berlin has ruled Facebook must comply with German data protection law. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.” [PC World]


US – Utah Considers Expanding DNA Collection Practices 

The Utah Senate Judiciary, Law Enforcement and Criminal Justice Committee has approved a bill that would allow law enforcement to collect DNA samples from those convicted of felonies at the time of booking. Rep. Steve Eliason (R-Sandy), who proposed HB 212, says DNA testing helps “law enforcement know much sooner who they have in custody and how they should handle and treat them.” However, the Utah Association of Criminal Defense Lawyers says the bill violates the rights of innocent people. [Deseret News]

Health / Medical

US – ONC Announces Plans for Privacy Tools for Providers

The Office of the National Coordinator for Health Information Technology (ONC) is working to provide more tools to help providers, including a downloadable security risk assessment tool. Laura Rosas, senior policy advisor at the Office of the Chief Privacy Officer said at the HIMSS14 conference on Tuesday that “small practices don’t really understand what a risk assessment is and what the process entails,” adding, “we know from Office for Civil Rights audits that these practices simply aren’t doing the assessment.” The ONC already offers tools in the way of a training game and notice of privacy practice templates. [Healthcare IT News] SEE ALSO: [Can You Trust What’s In Your Electronic Medical Record?]

US – HIPAA Changes Mean Tightening Vendor Relationships

With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. [The Privacy Advisor] See also: [E-patient record system makes uneven playing field, says MD] and [Healthcare organizations under siege from cyberattacks, study says]

Horror Stories

WW – Info from 360M Accounts Available for Sale; Other Breaches Reported

Hold Security LLC has announced uncovering “stolen credentials from some 360 million accounts that are available for sale on cyber black markets,” citing risk beyond stolen credit card data “because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.” Separately, Identity Finder has released research indicating “an estimated 630,000 social security numbers on nonprofit organizations’ tax returns … have been posted online,” and Indiana University has reported a breach involving the names, social security numbers and addresses of 146,000 current and former students. Meanwhile, the House Committee on Oversight and Government Reform is seeking documents related to the Target breach and has asked for all documents to be submitted by March 10. [NBC News]

PR – Puerto Rico Health Org Faces $6.8M Penalty

Triple-S Management has said the Puerto Rico Health Insurance Administration (PRHIA) plans to levy a $6.8 million fine stemming from a security breach to the health insurer’s subsidiary, Triple-S Salud (TSS). A filing with the Securities and Exchange Commission indicates the penalty is related to a breach affecting 13,336 Dual Eligible Medicare beneficiaries. TSS mailed notification letters to some recipients last September, which included some of the recipients’ Medicare Health Insurance Claim Numbers, which are considered protected health information. TSS said, “We take this matter very seriously and are working to prevent this type of incident from happening again.” [The Wall Street Journal]

US – 300,000 Records Breached; Calls for Cybersecurity Continue

A “sophisticated” cyber-attack has compromised the personal information—including names, Social Security numbers and birth dates—of more than 300,000 University of Maryland faculty, staff and students. Meanwhile, The Hill reports calls for congressional action on cybersecurity are continuing. One expert hopes the release last week of a cybersecurity framework by the White House will help spur Congress to take action. In a video by The Wall Street Journal, experts discuss how Target managed the fallout from its breach and its effect on the company’s bottom line. According to one report, nearly 800 million personal records were exposed in 2013. One organization has put together a “Breach Level Index” to assess the varying degrees of a breach’s impact, and Steptoe & Johnson’s Jason Weinstein discusses preventative measures businesses can take. [CNET] and [ loses customer credit card data in security breach]

Identity Issues

WW – The Rise of Bring-Your-Own Wearable Device

The rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states. [] see also: [A Privacy Pro Takes a Test Drive With Google Glass] SEE also: [Cops recover 100 stolen IDs]

Intellectual Property

US – Media Orgs Want Gmail Docs Released

A coalition of news organizations is asking U.S. District Court Judge Lucy Koh to unseal court documents related to a Gmail lawsuit . “This case has the potential to not only affect the rights of the millions of class members but also to set precedent on vital issues of first impression for privacy law,” the coalition wrote in papers filed in U.S. District Court. The news organizations contend that neither Google nor consumers involved in the suit have demonstrated a need for the documents to be sealed, writing, “Instead, the parties have asked the court to reflexively seal thousands of pages of documents in a case that could impact the privacy rights of millions of Americans.” [MediaPost] See also: [US: News Orgs Oppose Attempt To Seal Records In Gmail Privacy Case] AND ALSO: [Updated: Canadian ISP to name subscribers linked to illegal downloading]

Internet / WWW

WW – Oracle to Buy BlueKai for $400M

Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.” [AdAge]

Law Enforcement

CA – Public Database of Child Sex Offenders to be Part of Pedophile Crackdown

The federal government plans to create a publicly accessible database of high-risk child sex offenders as part of a bill that takes aim at those who prey on young people. The legislation introduced this week would also require registered sex offenders to provide more information when they travel abroad and permit more sharing of information between federal agencies. The most contentious element of the package could be the plan for a public database, which some warn can lead to vigilante-style attacks against sex offenders released from prison. Public Safety Minister Stephen Blaney said the government would make no apologies for the approach. The bill would allow the RCMP to begin discussions with provincial and municipal authorities to establish the national database using existing information on high-risk child sex offenders who have been the subject of a notice to the public. “What this national database will do is to make sure that this information is available throughout the country in a standardized manner,” Blaney said. In 2012-13, more than 3,900 sexual offences occurred in Canada against children, an increase over the previous year. [Source] See also: [Toronto police to test out lapel cameras]


US – Franken to Reintroduce Geolocation Privacy Bill

U.S. Sen. Al Franken (D-MN) has announced plans to reintroduce the Location Privacy Protection Act, which would require express consent in order for nongovernment entities to obtain geolocation information from an electronic communication device, among other provisions. The bill would apply to a range of businesses that interact with customers’ geolocation data and would allow enforcement by the federal attorney general, state attorneys general and private citizens. [Inside Privacy]

US – Site to Allow Users to Opt Out of Location Tracking

The Future of Privacy Forum (FPF) will today launch, a website offering consumers the ability to opt out of location tracking by entering in their phones’ MAC address. A coalition of 11 mobile analytics companies have agreed to honor the requests to opt out, which will take effect in 30 days. The FPF is working with participating companies on developing signs to alert shoppers about the site, said FPF Executive Director Jules Polonetsky, [MediaPost]

WW – Privacy Issues Raised by 3D Room-Mapping Program

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them. [Motherboard]


Indian Gov’t Plans to Create DPA, Give Citizens Privacy Rights

The government plans to grant all residents a right to privacy and establish a data protection authority (DPA) to rule on issues involving privacy and impose penalties for violations. Under the draft “Right to Privacy” bill, the DPA will investigate data breaches and issue orders to protect those affected. The draft bill also prohibits “covert surveillance of individuals which leads to breach of their privacy, unless authorized by law.” Exemptions to the bill have been proposed for national safety or security and maintenance of public order. [The Economic Times]

CN – PCPD Releases Guidance on Privacy-Management Programs

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The guide is aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident , can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, “Legal rights do not save you from dissatisfied customers,” explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. [The Privacy Advisor]

Online Privacy

WW – New Book on Social Network Privacy by danah boyd

It’s Complicated: The Social Lives of Networked Teens, a new book by danah boyd, is now available. K Royal describes the work as “easy to read, applicable to the privacy field and full of interesting, well-considered research.” Royal provides an overview of the book’s eight chapters and considers the relevance of the subject matter for privacy professionals and the general public alike. “I can do nothing less than highly recommend this book” to those interested in privacy or issues affecting teens, Royal writes. [The Privacy Advisor]

US – Facebook-WhatsApp Deal Prompts Privacy Concerns

At next week’s Mobile World Congress, keynoter Facebook CEO Mark Zuckerberg and how privacy will take on a large role at the event this year. And while Telefnica, Deutsche Telekom AG, Orange SA and KPN have begun offering users more control, Facebook’s deal to buy WhatsApp has some concerned about its privacy implications. Schleswig-Holstein Data Protection Commissioner Thilo Weichert has said WhatsApp users should switch to a more secure messaging service. But, in a blog post, WhatsApp said “nothing” will change for its users. The Washington Post reports that WhatsApp Co-Founder Jan Koum’s years of living in the Ukraine contribute to the strong focus on user privacy. [Bloomberg Businessweek]

WW – Dating App Vulnerability Allowed for Pinpointing User Locations

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. [The Washington Post]

US – Senate Candidate Posts “Gruesome” Medical Images Online

A U.S. Senate candidate’s Facebook postings “of gruesome X-ray images of gunshot fatalities and medical injuries to his Facebook page” have raised ethics and privacy concerns. Milton Wolf, a Kansas radiologist “anchoring a campaign for the Republican nomination with calls for federal healthcare reform,” has said the images are legal and were uploaded for educational purposes. However, the images included disparaging comments about the victims, the report states. “The dignity and privacy of the individual should be protected,” said Center for Practical Bioethics President John Carney. “It doesn’t sound like they’re being protected if they’re, obviously, on Facebook.” [The Topeka Capital-Journal]

US – BBB Finds Site Did Not Comply With COPPA

The Better Business Bureau Children’s Advertising Review Unit has found that a Harper Collins website did not comply with the Children’s Online Privacy Protection Act (COPPA). “The Ruby Redfort site, touting a book series that features a 13-year-old girl detective, didn’t have procedures in place to obtain verifiable parental consent before collecting names, street addresses and e-mail addresses from children,” the report states, noting COPPA prohibits websites from “knowingly collecting” such data from children under the age of 13. Meanwhile, The Washington Post and Forbes report on the emergence of anonymous apps and social networking sites filling “a growing demand among teens for more fun, less accountability and more privacy online.” [MediaPost]

Other Jurisdictions

MX – Regulator Plans to Issue “Abundance” of Fines

Mexico’s data protection authority (IFAI) has issued a statement announcing it will issue “an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties,” Reed Smith’s Cynthia O’Donoghue writes. The IFAI has the authority to issue fines for such violations of up to $1.5 million and up to three years imprisonment for data controllers whose databases are breached under their control, with double penalties for “sensitive data.” [Mondaq]

HK – Hong Kong PCPD Releases Guidance on Privacy-Management Programs

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The guide is aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, “Legal rights do not save you from dissatisfied customers,” explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31. [The Privacy Advisor]

SK – South Korea’s FSS Announcing New Measures

South Korea’s Financial Supervisory Service (FSS) is preparing to announce measures to “better protect personal information (PI) handled by financial firms following a recent massive data leak,” Yonhap News Agency reports. The measures include limiting financial firms from requesting “too much” PI. “The newly crafted measures may go into effect starting in April after preparation works,” said an FSS official. The breach that prompted the measures involved PI on “half of the country’s 50-million population” from three credit card firms—KB Kookmin, NH Nonghyup and Lotte— and Kookmin Bank. [Full Story]

BR – Amendments to Brazil’s Proposed Internet Privacy Law Jeopardize Privacy

Activists have launched an online campaign aimed at removing one of the recent amendments to Brazil’s Internet bill of rights that is expected to be voted on by Congress at the end of the month. The amendments put net neutrality and user privacy in jeopardy, citing specifically Article 16, which requires service providers to retain personal data of consumers. [Global Voices]

TU – Turkish President Signs Internet Law

Turkish President Abdullah Gul has signed a law giving the government the power to monitor Internet activity and block content it deems illegal or to be “violating privacy” of a person. The law also requires Internet providers to retain records on users for two years. While the prime minister argues the change will protect privacy and further democracy, critics say it is an attempt to squash freedom of speech in advance of the upcoming elections. [The Wall Street Journal]

SA – Complying with South Africa’s New Privacy Laws

South Africa’s Protection of Personal Information Act (POPI), which was signed into law last November but has yet to come into practice. “Once a commencement date is announced, companies will only have one year to get their houses in order,” according to Accenture’s security practice lead. The law has brought the country in line with international data privacy laws and is based on the EU directive. [ITWeb]

AU – Australian Privacy Principles Finalized, Effective March 12

The final iteration of the Australian Privacy Principles (APPs) has been issued by the Office of the Australian Information Commissioner following public consultation. Public and private organizations must adhere to the APPs when they go into effect on March 12 along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. Pilgrim said, “Most of the requirements contained in the APPs are not new, and business and government should be ready to hit the ground running come March 12.” [Computerworld Australia]

AU – Hacked Companies Off The Hook Under New Privacy Laws

The Office of the Australian Information Commission (OAIC) has confirmed it won’t hold organisations accountable for the exposure of personal information when accessed via a cyber attack, as long as the Office is satisfied with the level of security in place within the targeted systems. New privacy rules strengthening the enforcement power of the OAIC come into effect in 12 March 2014. In final guidelines to the way these laws are likely to be enforced, the OAIC made a distinction between what it will treat as a ‘disclosure’ of personal information – which could incur penalties of up to $1.7 million under the new regime – and ‘unauthorised access’. “An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information,” the guidance noted. Incidents falling into this category would include “a cyber attack” or “theft, including where the third party then makes that personal information available to others outside the entity,” the guidelines explain. [Source]

Privacy (US)

US – DoJ Asks FISC for Increase in Retention Limits

The Department of Justice has asked the Foreign Intelligence Surveillance Court for a term limit extension for how long it can retain telephone metadata beyond the current five years, citing civil suits regarding the data. In a filing made public on Wednesday, the DoJ wrote, “A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.” The ACLU, Sen. Rand Paul (R-KY) and the First Unitarian Church of Los Angeles have filed civil suits challenging the phone metadata collection program. [IDG News Service ]

US – AG Holder Calls for National Breach Law

Attorney General Eric Holder has called on Congress to enact federal data breach protection legislation. “A strong, national standard for quickly alerting consumers whose information may be compromised … would empower the American people to protect themselves if they are at risk of identity theft,” he said. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe.” In response to claims this would overwhelm law enforcement, Holder said legislation should have exceptions for small breaches. Meanwhile, Bloomberg is reporting the hackers who compromised Neiman Marcus are almost definitely separate from those who attacked Target, and the number of cards affected is fewer than initially reported: a maximum of 350,000. [CNN]

US – FTC’s Brill Pushes for Data Privacy Laws

Federal Trade Commissioner Julie Brill has called on Congress to pass three privacy laws, including transparency requirements for data brokers. Consumers should have the right to view and correct information compiled about them, she said. “I believe we should be concerned about the damage that is done to our sense of privacy and autonomy in a society in which information about some of the most sensitive aspects of our lives is available for analysts to examine without our knowledge or consent and for anyone to buy if they are willing to pay the going price,” Brill said, adding, “I think it is increasingly clear that the United States needs data security legislation.” [The Hill]

US – Judges: Users Have Right to Text Message Privacy

The Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices. In two 5-4 decisions, justices overturned drug convictions that hinged on law enforcement access to text messages without warrants. Justice Steven Gonzalez wrote in one of the cases, “Text messages can encompass the same intimate subjects as phone calls, sealed letters and other traditional forms of communication that have historically been strongly protected under Washington law.” The Electronic Frontier Foundation’s Hanni Fakhoury said, “People have a right to have those messages delivered without fear of government intrusion or interception, and if the government wants to intrude of intercept them, they have to get a warrant or wiretap to do so.” [Associated Press]

Privacy Enhancing Technologies (PETs)

WW – Making Online Privacy More User-Friendly

With increased awareness about online privacy issues, both from the public and private sectors, a host of online privacy tools exist, but for the most part can be difficult to use. a group of experts attempting to make online privacy tools more user-friendly. Groups have been attempting to “redecentralize” the Internet, but, the report states, the open-source scene is often made up of users more concerned with function over the user experience. Eleanor Saitta, of the Open Internet Tools Project , said, “There are still a lot of people in the (developer) community who are, ‘If I can use this tool, why can’t everyone?’ A lot of people aren’t willing to acknowledge that if ordinary users can’t use it, they won’t.” [GiGaOm] See also: [The dirty little secret of secret-sharing apps]

WW – Mozilla Rolling Out New Privacy Features

In a partnership with Deutsche Telekom, Mozilla said it plans to release new privacy and security features for its Firefox operating system. The focus of its Future of Mobile Privacy project is emerging markets. Mozilla has found the most prevalent concerns include lost/stolen mobile devices and the privacy of sharing personal information among friends and family. Mozilla Global Privacy and Public Policy Leader Alex Fowler said Mozilla will “be calling on the privacy and security community to start dreaming up what they think are exciting features and services, and we want to prototype and make those part of future releases as well.” [ComputerWeekly]

WW – Surveys Offer Insights Into Consumer Perspectives

Two recent studies offer insights to consumer perspectives on the use of their personal information (PI). A survey from content management and analytics firm SDL indicates “nearly two-thirds of consumers in the U.S. and around the world are worried about how marketers are using their personal information.” However, about 80 percent are willing to provide PI “to a trusted brand as long as brands are transparent about how they collect and use their information and as long as they get something in return.” A Fortinet study of Gen-Xers and Millenials, meanwhile, found differences in “philosophy about security and privacy” from one generation to the next. [AdWeek]

WW – If Gov’t Won’t Protect Privacy, Innovation Will

Mike Janke spent 14 years as a Navy Seal. He’s been around the block, so to speak. And the U.S. government’s decision to circumvent the controls in place to protect innocent citizens’ communications en masse has him scared right now. Janke, now CEO of Silent Circle, was talking about the “Summer of Snowden” revelations during a session at RSA 2014 entitled “Mission Impossible? Building and Defending Zero-Knowledge Privacy Services.” The Privacy Advisor reports on Ethan Oberman of cloud-based synchronization and sharing service SpiderOak, Nicko van Someren, CTO of Good Technology, and Janke’s discussion of the new premium on “zero-knowledge” technology models that allow users to maintain complete control of their data access and new technological solutions for privacy. [Full Story]

WW – Digital Assistant to Offer Privacy Controls

Microsoft plans to release a personal digital assistant, Cortana, in its new Windows Phone, complete with granular privacy controls for users, The Verge reports. Users will reportedly be able to control what data is shared with Cortana, including location data, behaviors, personal information, reminders and contact information. According to the report, Cortana will only store such data to Notebook if it’s granted permission by the user to do so, and any stored data can be edited or deleted. [The Verge]

WW – New Program Manages Privacy Settings

My Face Privacy is a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.” [GigaOM]


US – Survey: 48 %of IT Professionals Say NSA Overreached

The intersection of privacy and security is a “minefield of complex issues that need to be navigated by tech vendors, users and governments.” That was what Sean Michael Kerner took away from the RSA Conference last week, where the National Security Agency (NSA) was one of the many exhibitors to have an expo hall booth. A survey of IT professionals at RSA found that 48 percent said the NSA had overreached in its programs, while 52 percent said it did not. At one conference session, FBI Director James Comey appealed to IT professionals for ideas on how to balance the need for surveillance with privacy concerns..[eWeek ] [US: Feds Refuse to Release Public Comments on NSA Reform — Citing Privacy] and [Spy Chief: We Should’ve Told You We Track Your Calls]

WW – SSL Bug Found in Apple Operating Systems

Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices. [Reuters] [Apple promises to fix OS X encryption flaw ‘very soon’] See also: [iOS security hole reportedly exposes your screen input]

WW – Data-Centric Security: Reducing Risk at the Endpoints

In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. Jim Wyne looks at data-centric security as a method to mitigate risk and “ensure the most important asset of the business, the data, is protected.” [The Privacy Advisor]


US – Obama, NSA Take Heat for Crying “Privacy”

The Obama administration’s refusal to release the 28 proposals it has received from various corporations on managing the NSA’s database of phone metadata. In response to Wired’s questions, the Office of the Director of National Intelligence (ODNI) replied, “Upon review, ODNI has determined the material should be withheld in its entirety in accordance with FOIA exemptions … Exemption (b)(6) applies to information, which, if released, would constitute a clearly unwarranted invasion of personal privacy of individuals.” This led Venture Beat to comment, “So despite the questionable practice of collecting an individual’s private data without a warrant, the government has no problem keeping efforts to reform the NSA’s program under wraps because it would violate a corporation’s right to privacy.” [Wired] [NSA Wants to Expand Phone Database—Because of Privacy Suits] See also: [80 percent of Australians oppose warrantless e-surveillance]

UK – Agencies Spied on Millions Using Webcam Interception

Optic Nerve is a program created by UK intelligence agency GCHQ in conjunction with the U.S. National Security Agency to intercept and store webcam images of millions of Internet users, many of whom were not suspected of wrongdoing. According to files leaked by Edward Snowden, the program collected images from Yahoo webcam chats in bulk and stored them in agency databases. In one six-month period, the GCHQ collected images from more than 1.8 million user accounts. Yahoo said it was unaware of the activity. “This report, if true, represents a whole new level of violation of users’ privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law,” the company said. [The Guardian] SEE ALSO: [Snowden Documents Reveal Covert Surveillance and Pressure Tactics Aimed at WikiLeaks and Its Supporters]

WW – Reaching the Intended Viewer Made Easier with “Addressable TV”

Political campaigns will have the ability to target specific individuals. Addressable TV is a new technology that enables advertisers to pay broadcasters to pinpoint specific homes, the report states. “This is the power of a 30-second television commercial with the precision of a piece of direct mail targeted to the individual household level,” said Paul Guyardo, chief revenue officer at DirecTV. “Never before have advertisers had that level of precision when it came to a 30-second commercial.” Advertisers are looking at such data as voting histories, demographics and credit scores to find the viewers they aim to reach, the report states. [The Associated Press]

US – Newark Airport Surveillance System Poses Potential for Misuse

The recently installed 171 LED light fixtures at Newark Airport’s Terminal B are part of a new wireless network of sensors and video cameras that collect and feed data into software capable of recognizing license-plate numbers, identifying suspicious activity and sending alerts to staff. While officials with the Port Authority of New York and New Jersey plan to expand the project to other terminals and buildings, privacy advocates say the technology risks invading privacy. Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, called the potential for misuse “terrifying,” the report states. [The New York Times]

Telecom / TV

WW – Telecoms Press on With Biz Plans Despite Privacy Awareness

Although the Snowden revelations brought privacy into the forefront of mainstream conversation, many telecoms will continue with business plans aimed at capitalizing on the vast data stores their customers create. “Privacy is a hot-button issue right now, but we think we can take a leadership stance,” said Verizon’s Colson Hillier. “It’s not a reputational risk if you do it right and are proactive in communication with consumers and policy-makers.” However, some competitors are taking the opposite tack. The trend toward the monetization of Big Data led The New York Times to editorialize that a Big Data study commissioned by U.S. President Barack Obama needs to produce “not only a thorough description of how businesses are collecting private data but also specific legislative proposals to give consumers more control of that information.” [Reuters]

US – “Revenge Porn” Victim Awarded $500K in Civil Case

A jury in Texas has awarded a woman $500,000 in a “revenge porn” case. An ex-boyfriend blackmailed her and eventually published the material on the Internet. Though there is no specific law against it in Texas , two state lawmakers are working on legislation that would make revenge porn illegal. Critics, however, warn such a law could violate the First Amendment. One legal analyst said, “If you allow the state or federal government to restrict your speech in one instance, it could expand and get more restrictive over other matters and nobody wants that.” New Jersey and California have both outlawed revenge porn and other states are considering a similar move. [KTRK-TV]

US Government Programs

US – ABA Asks NSA for Clarification on Attorney-Client Privilege

After a report by The New York Times describing the alleged surveillance of a U.S. law firm and its clients by the National Security Agency (NSA) and its Australian counterpart, the president of the American Bar Association (ABA) has sent a letter to the NSA expressing concerns about the privacy of attorney-client privilege. ABA President James Silkenat has also asked for clarification on the NSA’s policies and practices concerning intercepted confidential data. “The attorney-client privilege is a bedrock legal principle of our free society and is important in both the civil and criminal contexts,” he wrote, adding, “It enables both individual and organizational clients to communicate with their lawyers in confidence, which is essential to preserving all clients’ fundamental rights to effective counsel.” [Full Story] See also: [AU: Immigration Department data lapse reveals asylum seekers’ personal details]

US – Leaked NSA Document Indicates Client-Lawyer Confidentiality Compromised

Amidst a chorus of concerns by American lawyers with clients overseas that their confidential communications could be compromised by state surveillance, it appears at least one law firm has already been affected. A top-secret document obtained by Edward Snowden indicating a U.S. law firm’s communications with Indonesian officials over trade talks had been accessed. Meanwhile, the Privacy and Civil Liberties Oversight Board is turning its attention to another NSA program allowing the agency to monitor Internet traffic belonging to foreign intelligence targets, and the National Institute of Standards and Technology has released its Framework for Improving Critical Infrastructure Cybersecurity. [The New York Times]

US – Is PI Used for Online Educational Services Protected?

The Department of Education (DoE) has weighed in with an answer to the question of whether personal information (PI) collected in the $8 billion preK-to-12th-grade education software industry is “federally protected from being shared or sold by technology vendors.” The answer? “It depends.” New DoE guidance includes that “careful wording,” the report states, in detailing “requirements and recommended practices for school management of online education services that directly involve students or their parents.” Meanwhile, Forbes reports on The Student Privacy Zone Summit in Washington, DC, aimed at ensuring student information “is restricted to educational use only.” [The New York Times]

US – TSA Pre-check Gives Rise to Privacy Concerns

Privacy concerns are coming out of the Transportation Security Administration’s (TSA) Pre-check expedited screening program. TSA Administrator John Pistole aims to move half of air travelers through expedited screening by the end of 2014. As the program expands, however, privacy experts warn against giving up more personal information in exchange for quicker travelling. “Either the assessments will be based on a laughable amount of information about people and will only be providing an illusion of security, or they will be so intrusive that the government will basically be doing background checks on everyone who flies,” said the American Civil Liberties Union’s Jay Stanley. [USA Today]

US Legislation

US – Illinois Senate Committee Passes Revenge Porn Bill

An Illinois Senate committee has unanimously passed a bill that would make it a felony to post sexual material of others on the Internet without consent and to use that material for blackmail purposes. The American Civil Liberties Union of Illinois is concerned the measure is too broad and may restrict free speech. [The Associated Press]

US – Indiana Senate Committee Passes Digital Privacy Bill

An Indiana Senate Committee has unanimously passed HB 1009, which would limit law enforcement’s use of drones, GPS tracking and cellphone searches as well as set new rules for citizens’ use of surveillance technologies, [The Statehouse File]

US – Kansas Student Privacy Bill Gains School Board Assoc. Support

The Topeka Capital-Journal reports that the Kansas Association of School Boards has put its support behind a bill that would restrict the sharing of student data and collection of biometrics, codifying the Department of Education’s practices. SB 367 would prevent data sharing with other state agencies in the absence of data-sharing agreements, which causes concern for the state’s epidemiologist, who says it could have unintended consequences for public health.

US – Colorado Bill Aims To Protect SSNs

Colorado’s HB 14-1141 is headed to the house after being passed by the State, Veterans and Military Affairs Committee. The bill, sponsored by Rep. Don Coram (R- District 58), would prohibit state and local government entities from requiring unpaid board members to disclose their Social Security numbers. [The Watch]

US –California Bill Would Restrict Use, Collection of Student Data

California Sen. Darrell Steinberg (D-Sacramento) will today introduce a bill aimed at protecting student data. “The bill would prohibit education-related websites, online services and mobile apps for K-12 graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance,” the report states. A growing chorus of lawmakers believes laws on student data have been unable to keep pace with technological innovations. Steinberg said he doesn’t want to limit legitimate use of student data but believes the data should be used for “educational benefit and nothing else.” [The New York Times]

US – Florida Sen. Proposes Limits on Prescription Drug Database Access

Florida Sen. Aaron Bean (R-Fernandina Beach) has proposed SB 862, which would require law enforcement to get a court order to access information in the state’s prescription drug database. Police say the database has helped curb prescription drug abuse, and a judge recently dismissed a case challenging investigators’ access to the data, but others in the state say citizens need more privacy protections. Bean says there needs to be a balance between privacy and law enforcement, adding, “The government already monitors our phone calls; they read our e-mail. Does the government have to be in our medicine cabinets, too? I don’t think they do.” [The Daytona Beach News-Journal]

US – Illinois House Committee Endorses Student Privacy Bill

HB 4558, which would require that public preK-12 schools get written parental consent prior to sharing student data with outside individuals or entities, heads back to the house for consideration after gaining the support of the Elementary & Secondary Education Committee. The bill’s sponsor, Rep. Scott Drury (D-Highwood), points to education data nonprofit inBloom as an example of the need for the law. “Illinois is allowing your student’s data to go to a hub that’s called inBloom, along with two other states that are allowing it,” Drury said, adding, “From inBloom, third-party vendors can buy that data and target your kid by Social Security number or by name.” InBloom has released a statement saying it “will never sell student or customer data.” [The Herald-Review]

US – Illinois Senate Considering Cellphone Tracking Limits

The Illinois Senate is now considering legislation to require authorities to obtain a search warrant prior to using cellphone geolocation technology to track individuals in most circumstances. Sen. Daniel Biss (D-Evanston) says his bill aims to protect privacy, noting, “If you envision a world where there’s no gates around what can be done with our information that comes from a cellphone … that’s a picture of a world that nobody wants to live in.” This is Bliss’s second attempt, and with the new iteration, he has gained the support of Deputy Chief of Narcotics for the Cook County State’s Attorney Office Patrick Coughlin, who testified against his first bill. “Our biggest objection was that we needed to have probable cause for any location information, including historical information—where someone was a week ago,” which Coughlin said could hamper investigations. [The Chicago Sun-Times]

US – New Mexico House Passes Breach Notification Bill

The New Mexico House has passed an amended version of HB 224, which would require companies to notify customers of a data breach within 45 days of discovery—as opposed to the 10 days originally proposed. The bill also includes requirements for notifying the state attorney general and consumer reporting agencies within 14 days and has a risk-of-harm threshold for notifications as well as payment card breach provisions. [Bloomberg BNA.]

US – Texas Court Expands Privacy Rights

The Texas Court of Criminal Appeals has expanded cellphone privacy rights in its ruling that police improperly searched a Huntsville student’s cellphone without a warrant. The phone was being held in a jail property room, and while prosecutors claimed officials have a right to search inmates’ items with probable cause, the court said in its decision, “A cellphone is unlike other containers as it can receive, store and transmit an almost unlimited amount of private information,” adding, “The potential for invasion of privacy, identity theft or, at a minimum, public embarrassment, is enormous.” The one dissenter in the nine-judge panel wrote in his opinion that because the defendant failed to prove an expectation of privacy because he was not in possession of the phone and knew it was in the hands of the police. “The fact that cellphones potentially contain vast amounts of private data, by itself, does not automatically result in a finding of a reasonable expectation of privacy in every case,” he said. [American-Statesman]

US – Supreme Court Rules Warrant Needed for Cell Location Data 

The Massachusetts Supreme Judicial Court has ruled that police must obtain a warrant prior to collecting cellphone location data. The court ruled 5-2 against prosecutors, deciding that obtaining cell-site location information over a two-week period “without a warrant based on probable cause was an invasion of privacy and a violation of the state Declaration of Rights.” The decision “says that people can have a constitutionally protected privacy interest in information about them even if that information is in the hands of a third-party service provider like their cellphone company,” said Matthew Segal, legal director for the American Civil Liberties Union of Massachusetts. [The Associated Press.]

US – New Jersey Assembly Committee Passes Reader Privacy Act

The New Jersey Assembly Consumer Affairs Committee has unanimously recommended passage of the Reader Privacy Act. The law would require police to obtain a judge’s approval before collecting information about a person’s book and e-book purchase history and prevent sellers from sharing the information with third parties. If passed, the state would become the third in the nation to have such a law. [The New Jersey Law Journal.]

US – Rhode Island Considers Social Media Privacy Bill

The Rhode Island Legislature is considering a bill that would prohibit employers and schools from penalizing employees or students for refusing to hand over social media information or compelling them to do so. Senate Majority Leader Dominick Ruggerio (D-Providence and North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton and Westerly) proposed the legislation, with Ruggerio noting, “The term ‘social media’ does not mean everything associated with a person’s online presence is automatically public, and it is not a license for an employer or school to pry into private material,” according to a press release. [The Brown Daily Herald]

US – Wisconsin Senate Passes Drone Bill

The Wisconsin Senate passed a bill that would limit police and others’ use of drones, including barring drones with cameras and weapons. Under the bill, police would need a warrant to use data collected by drones unless in public, and the bill would ban private individuals from using drones to record others where they would have a reasonable expectation of privacy. While civil rights advocates say drones pose a threat to privacy, drone industry groups are concerned that drone privacy bills will hamper the benefits of drones. [The Milwaukee-Wisconsin Journal Sentinel] See also: [US: Assembly passes bill to protect confidentiality of student records]

US – Wyoming Student Privacy Bill Heads to House Floor

The Wyoming House Judiciary Committee passed a bill requiring parental consent before collecting children’s personal and education data, but first it amended the bill to state that only data collected by the state Department of Education would require the consent. HB 179 passed with a 7-2 vote. Rep. Lynn Hutchings (R-Cheyenne) said the bill would allow parents “to be able to see exactly what’s going on, what the education system is asking for and truly get involved by saying each year, ‘Yes, I agree that you can collect this data or not.'” The bill will now go to debate on the House floor. [The Associated Press]

Workplace Privacy

CA – Union’s Right to Employees’ Home Contact Information from Employer Trumps Privacy Concerns

Elizabeth Bernard is an employee of the Canada Revenue Agency. She objected to the disclosure of her home contact details by her employer as requested by the union. Ms. Bernard took the position that disclosure of her home contact details breached her privacy rights and her Charter right not to associate with the union (she is not a member of the union, but is represented by the union in the collective bargaining context). The Public Service Labour Relations Board concluded that only being able to contact employees through their workplace did not allow the union to represent employees effectively. It also found that the disclosure of home contact details was consistent with the purpose for which the information had been obtained under section 8(2)(a) of the Privacy Act, which is one of the exceptions to the ban of disclosure of government held information. The Board declined jurisdiction to consider the Charter arguments. On judicial review, the Federal Court of Appeal upheld the Board’s conclusions. The matter was then appealed to the Supreme Court of Canada, which handed down its decision on February 7, 2014. [Mondaq News] [Monitoring device goes beyond checking work productivity]

US – D.C. Council Weighs ‘Banning The Box’ Asking For Criminal History

SOME 60,000 D.C. residents, about 10?percent of the population, have a criminal history. Many of them are unemployed, and standing between them and any shot at a job is one little box. “Have you ever been convicted of a crime?” is a question that often appears on employment forms. Check yes and you are likely to be automatically disqualified, with no opportunity to say when or what the offense was, explain any extenuating circumstances or put the criminal history in perspective. Legislation that would “ban the box” is pending before the D.C. Council and deserves thoughtful consideration. The “Fair Criminal Record Screening Act of 2014,” sponsored by D.C. Council member Tommy Wells (D-Ward 6) is part of a growing national movement that seeks to prevent employers from asking about criminal records during the initial stage of hiring for a job. [Source] SEE ALSO[US: Lawmakers’ report: FDA monitoring of staff e-mails may have violated whistleblowing law]


01-14 February 2014


WW – Facial Recognition Tech Used in Sochi; Expanded Uses Expected

Facial recognition software is being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology. [San Jose Mercury News] See Also: [Security and privacy; As the balance shifts] and [Exit records: Crossing the border can be a matter of public concern]

US – NTIA Holds 1st Meeting on a Facial-Recognition Code of Conduct

The Department of Commerce’s National Telecommunications and Internet Administration yesterday held the first of a series of meetings aimed at creating a voluntary code of conduct for development and implementation of facial recognition technology. The meeting, which hosted stakeholders spanning advocacy and industry, was primarily a chance for the group, as well as the 100 or so watching the live webcast, to hear from experts on how the technology works, how it’s currently being applied and for what reasons and what it might be capable of accomplishing in the future. [The Privacy Advisor]

US – FBI on Track for Facial Recognition Database;

New documents released by the FBI indicate the agency is headed toward its goal of a fully operational facial recognition database by this summer, the Electronic Frontier Foundation (EFF) reports. The records were obtained in response to an EFF Freedom of Information Act lawsuit over the FBI’s plans for its Next Generation Identification biometric database that may hold records on up to one-third of the U.S. population, the report states. [EFF] See also: [Facial recognition software used to track dingoes]

EU – French DNA Sweep Exposes Differing Cultural Norms

The differing privacy norms in France and the U.S. are illustrated through the prism of a case where a high school student was raped and more than 500 male students and staff willingly submitted to DNA testing to help find the rapist. One expert said that although the French value their privacy, the case has not sparked a mass outcry because of its criminal context. In the U.S., the case likely would have raised civil rights and Fourth Amendment violation concerns, the report states. Pascale Gelly said, “France takes data privacy very seriously,” adding, “Massive testing will always raise privacy issues, and that’s good because it’s always important to (ask) the question, ‘Is it proportionate or not?’” [The Christian Science Monitor]

WW – As Facial Recognition Uses Expand, Privacy Concerns Abound

Companies are working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. [The New York Times]

US – Legislators Considering Regulating Biometrics

Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems.” The legislators are examining the issue in the wake of outrage from parents who learned last year that “students’ eyes were being scanned as a condition of boarding school buses in central Florida’s Polk County School District .” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children’s data is taken,” the report states. [Reuters]

Big Data

WW – Coalition Demands Public Involvement on Study

The White House met with a coalition of consumer, civil liberties and privacy groups Monday after the group called on President Barack Obama to review the recently announced study, “Big Data and the Future of Privacy.” EPIC, the Center for Digital Democracy and the ACLU are among the groups that signed a letter to the White House’s Office of Science and Technology Policy requesting public involvement in the process. The meeting was the first in a series the White House has planned to gain varied perspectives. [The Hill]

WW – Scientists Using Tweets to Determine Flu Outbreaks

Scientists from Pennsylvania State University say they’ve developed a way to find Twitter posts that identify viral illnesses. In a recently published paper, “On the Ground Validation of Online Diagnosis with Twitter and Medical Records,” researchers say they’ve created “a system for making an accurate influenza diagnosis based on an individual’s publicly available Twitter data.” The researchers say they were able to determine, with 99-percent accuracy, whether an influenza outbreak was occurring by combining text analysis, anomaly detection and social network analysis. In 2008, similarly, Google began estimating flu infections by tracking flu-related search terms. [InformationWeek]

US – When and How Your Middle Name Could Become “Is a Slut”

How did political writer Lisa McIntire end up with “Is a Slut” as her middle name on the address line of a letter from Bank of America? And how did Mike Seay end up with information about his daughter’s death on his mailing from OfficeMax? “In tort law, we would call it negligence,” writes Ryan Calo. “A data broker collected information about a tragic death and accidentally sold it,” he adds, and the companies’ screening processes didn’t catch these blunders. “The truth is that there are consequences to obsessively compiling information about consumers and promiscuously sharing it.” [Forbes]


CA – Canada Privacy Officials Seek Changes to Oversee, Limit Government Surveillance

The Canadian government should strengthen its privacy policies to ensure that actions taken in the name of national security don’t have an adverse impact on Canadians’ expectations for personal privacy, Chantal Bernier, the interim chief of the Office of the Privacy Commissioner of Canada said in a Jan. 28 special report to Parliament. Measures to improve transparency, modernize privacy statutes and boost Parliament’s oversight are needed to address privacy in the context of national security, Bernier said in a statement accompanying the report.”While a certain level of secrecy is necessary within intelligence activities, so is accountability within a democracy,” she said. The report recommended that Parliament:

  •  improve oversight and reporting mechanisms, including requiring the agency Communications Security Establishment Canada (CSEC) to disclose annual statistics on its communications interception activities on behalf of other federal agencies;
  •  modernize the federal privacy protection regime through amendments to the Personal Information Protection and Electronic Documents Act and the Privacy Act, including adding stronger provisions on exchanges of personal information with foreign authorities and investigations that exploit online sources and social network sites;
  •  increase legal recourse for individuals under the Privacy Act, which covers information maintained by the government; and
  •  strengthen accountability by increasing the powers of federal bodies that provide oversight for national security operations, clarify and update other legal authorities that govern intelligence operations and enhance Parliament’s oversight of intelligence activities.

The federal privacy office wasn’t the only data protection authority in Canada calling for changes in the wake of surveillance revelations. Ontario Privacy Commissioner Ann Cavoukian Jan. 28 issued a statement calling on the federal government to improve its transparency and accountability, particularly in the activities undertaken by the CSEC. Edward Snowden’s “brave sacrifices” in releasing details of privacy-invasive activities by intelligence agencies in the United States have demonstrated the significant dangers associated with unchecked state powers, Cavoukian said.[Source] See also: [Spy agency’s work with CSIS, RCMP fuels fears of privacy breaches]

CA – Alberta to Update Law

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional.” The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government’s intention to pass the amendments early in the fall 2014 session to comply with the court’s ruling,” Service Alberta’s Gerald Kastendieck said Wednesday. The amendments will “focus on unions and picketing,” the report states, noting, “There won’t be a general review of the 10-year-old legislation this year.” [The Canadian Press]

CA – Premier Calls for Changes to Restrictions

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended.” Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports. [The Globe and Mail]

CA – Gary Dickson Leaves Role as SK Information and Privacy Commissioner

The end of the month brings an end to Gary Dickson’s term as Saskatchewan’s Information and Privacy Commissioner. Dickson took up the position on November 1, 2003 as the first privacy commissioner in Saskatchewan and was reappointed in 2009 for another term. Dickson has done his share of making decisions serving as an MLA in Alberta for nearly ten years. In that time, Dickson helped develop Alberta’s Freedom of Information and Protection of Privacy Act and the Health Information Act. Dickson and his team have issued 94 reports on their website, and handed a lot of information to our government. But not all of his recommendations have been followed over the years and that is something Dickson said never really frustrated him. [Source]

CA – Nova Scotia Commissioner Calls Her Removal ‘A Lack of Respect’

Nova Scotia’s privacy and information watchdog says she was shocked to learn the government is replacing her. Dulcie McCallum has been Nova Scotia’s freedom of information and protection of privacy officer for seven years and said she expected a reappointment. Instead, she was given two weeks’ notice. McCallum said she’s been working “night and day” in the post. “For me personally and for the public, it just kind of shows a lack of respect for me and the office and our work. And if you don’t get reasons, somehow it tends to impugn the character of the person. [It] is unfair to not provide reasons,” she said. “If you are tenacious as an independent office, then often people don’t want that who are the governing party. They don’t want to have that kind of independent, impartial, non-partisan oversight in place.” [Source]

CA – CSEC’s Collection of Metadata Shows Ability to ‘Track Everyone’

Recent allegations about domestic spying and the collection of “metadata” by one of Canada’s security agencies have inspired a great deal of confusion about the precise nature of the surveillance. John Forster, head of the Communications Security Establishment Canada, appeared before the Senate security and defence committee Feb. 3 and answered questions about a CBC report that said CSEC had used airport Wi-Fi to follow the movements of Canadian travellers. In this particular case, Forster denied that CSEC had snooped on Canadians, saying the agency had accessed airport Wi-Fi to capture “a snapshot of historical metadata.” [Source] [Security officials deny violating Canadians’ privacy in airport operation]


US – Bank, Retail Groups Combine Efforts to Protect Consumers

Bank and retail industry groups have announced a new partnership focused on sharing information about cybersecurity threats and improving consumer protection technologies, reports Reuters. While Tim Pawlenty, chief executive of the Financial Services Roundtable, notes, “There’s going to continue to be differences on things like the costs of issuing replacement cards” after a breach, the groups can “benefit from learning from each other on internal system resiliency and improvement in best practices” as well as “state-of-the-art cyber defenses.” The associations plan to form working groups and also focus on protecting mobile payments and thefts that don’t involve payment cards. [Reuters]

US – Start-Up Offers Cash to Track Users

Datacoup is a company running a beta trial offering consumers money in exchange for access to their online habits. For $8 a month, users allow the company access to a combination of their social media accounts and the feed of their credit and debit card transactions. Datacoup plans on turning a profit by offering businesses access to mined, anonymized data. CEO Matt Hogan said, “If a consumer wants to make an educated decision, they should be able to sell their data to who they want.” Carnegie Mellon’s Alessandro Acquisti cautions that Datacoup doesn’t really give consumers control of their data because social media and financial sites still retain it, and consumers get money now, but may regret it later. “Measuring privacy trade-offs is exceedingly hard,” Acquisti added. [MIT Technology Review] See also: [Sell Your Personal Data for $8 a Month]

US – Marketer Plans to Build Its Own Database

Kimberly-Clark Co. is aiming to shift from selling its products through retailers and instead build its own “deal database” through a promotion-analytics firm. While the company has been tracking how often and where people redeem digital offers as well as how often they share them with friends via social media, it now wants to collect data—via informed consent—that it can use in less anonymous ways for more engaging promotions and targeting. Meanwhile, Twitter has acquired Gnip—a company that specializes in collecting, organizing and sharing social data, which Twitter says will help it provide “more sophisticated data sets and better data enrichments” for developers and businesses. [Advertising Age]

WW – Microsoft: Notice and Consent Overburden the User

Microsoft’s Scott Charney discusses the future of commercial data privacy models, a topic he also discussed at the IAPP Global Privacy Summit in March. Because the availability of data is “rapidly changing how businesses operate,” a “whole range of new privacy challenges” have presented themselves, while the rules on privacy haven’t kept pace, Charney writes. While notice and consent are important, they are antiquated models that overly burden the user. The way forward? Increased organizational accountability, new enforcement models and a focus on risk assessments, to start. [The Huffington Post]

WW – Google Updates Terms to Reflect Content Analysis

Amidst controversies with privacy groups over its scanning of user e-mail, “Google has updated its terms of service to reflect that it analyzes user content including e-mails to provide users tailored advertising, customized search results and other features.” The report highlights actions around Google’s practices and quotes the new terms of service, which went into effect Monday, as stating, “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.” [PC World]

US – Tips to Determine If Your Printer has Internal Storage

Some high-end printers and copiers retain digital copies of documents in their internal storage. This report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone. [PC Magazine]

US – Who Can See My Fitness Data?

Wristband fitness devices carry a potential risk that the data they collect could end up in corporate hands. In a speech last week, the Federal Trade Commission’s Jessica Rich discussed the potential implications, such as that health data could be “collected and then sold to data brokers and other companies she does not know exist”—a concern, considering the devices collect data such as sleep quality, weight and even GPS location at times. Meanwhile, a new mobile app allows users to determine if other mobile apps are collecting their location information. [MotherJones]


US – Judge Dismisses EPIC’s Suit on Expanded Data Access

A federal judge has ruled that the Electronic Privacy Information Center (EPIC) lacks standing to challenge the expansion of access of information to public school students’ data. EPIC sued the U.S. Department of Education under the Family Educational Rights and Privacy Act “claiming the government exceeded its statutory capabilities by changing the definitions of key terms within the law,” the report states. Meanwhile, Fordham law Prof. Joel Reidenberg said recently that outsourcing, lack of transparency, vague contracts, outdated laws and new pushes for data analytics are to blame for the current risk to student privacy. [Courthouse News Service] SEE ALSO: [CA – Federal government tweets take weeks to produce]


US – Brill Talks Big Data, Cookies and Mobile Devices

Federal Trade Commissioner Julie Brill took to Twitter yesterday, taking questions on the partnership between the U.S. and EU on data processing, the use of mobile devices in healthcare and a potentially cookie-less web ecosystem. The full conversation is at #FTCpriv. Here at the IAPP, we’ve collected the highpoints of the hour-long chat for your reading pleasure. [Full Story]

Electronic Records

US – Patient Access to Info Strengthened

The Department of Health and Human Services is strengthening patient rights to access laboratory reports. “The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act Privacy Rule,” HHS Secretary Kathleen Sebelius said. The final rule allows labs to give patients or their designees “access to the patient’s completed test reports on request,” the report states. The changes allow patients to “obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.” [UPI] See also: [NS: Electronic health record pilot project attracts thousands] See also: [DOD Electronic Health Records Help VA Disability Claims]

US – Tiger Team Needs Help on Privacy Work

The ONC’s Health IT Policy Committee’s Privacy and Security Tiger Team is calling for public comment on privacy and policy concerns surrounding patients giving access to their health information. Led by committee Chair Deven McGraw the panel is asking for input prior to their next meeting, slated for Feb. 10 at 2 p.m. Because patients can access relevant healthcare information through view/download/transmit, the Tiger Team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data. Among the questions, the Tiger Team will tackle:

  • Are there policy issues that need further resolution regarding personal representative access to view/download/transmit accounts?
  • How do healthcare providers confirm that an individual is, in fact, a personal representative?
  • How are patients’ friends and family provided with credentialed access to view/download/transmit accounts?
  • Is this access “all or nothing,” or are there more granular options? If the latter, how does this get accomplished? [Source]

US – Courts Tackle Privacy of Delivered Texts, Voicemails

The Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act. [Law360 reports]


CA – Two Sites Concede Heartbleed Data Losses

Two websites, Canada’s tax authority and a British parenting website, have said some of their users’ data has been compromised as a result of the Heartbleed bug, and these are the first two admissions stemming from the now infamous OpenSSL security vulnerability that was exposed last week. The Canada Revenue Agency (CRA) blocked online public access to its site last week. “Regrettably, the CRA has been notified … of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said. British parenting site Mumsnet assured its more than one million users it “followed all the published steps to protect members’ security … but it seems that the breach occurred prior to that risk becoming known.” [PC World]

EU Developments

EU – MEPs: Trade Deal Should Not Pass Without U.S. Privacy Reforms

The LIBE Committee approved a report stating the European Parliament should not agree to the EU-U.S. trade deal, the TTIP agreement, unless it fully respects EU citizens’ data privacy. The report, which passed the committee by a 33-7 vote, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information.” The committee also “voted against calling for asylum protection for former U.S. intelligence agency contractor and whistleblower Edward Snowden,” EUObserver reports. Meanwhile, EDPS Peter Hustinx recently discussed NSA surveillance and the forthcoming reforms of the data protection regulation, and the European Agency for Fundamental Rights has released its official agenda for the EU, which includes recommendations on the EU data protection framework. [Help Net Security]

EU – German Court of Justice Clarifies Rules on Credit Scoring, Access

Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. “While credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Takeaways from the First Cookie Consent Fines

Last month, Spain’s Data Protection Authority (DPA) issued its first fines since its implementation of the EU “cookie consent” requirement, prompting Nuria Pastor to write of the messages to take away from this case. Among those takeaways, Pastor writes, “Even though cookies are part of our everyday life, European regulators perceive the use of cookies as intrusive—this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.” She also cautions that “the grace period has long been over. If you have not already done so, it is important to get your house in order now.” [Privacy and Information Law Blog]

WW – Google Fights CNIL Request in Court

Google has asked a French court to suspend an order requiring it to post a message on its French home page notifying users of the privacy fine levied by Frances data protection authority (the CNIL). A Google lawyer has argued that posting the notice of the 150,000 euro ($204,000) fine causes irreparable damage to the company’s reputation. Patrice Spinosi, a lawyer representing Google, said, “This is something we’ve never seen before … Google has always maintained that page in a virgin state.” The CNIL has said that users of Google’s home page have the right to know that Google has been sanctioned. [The Wall Street Journal]

EU – Hawkes Will Not Seek Reappointment as DPC

When his current term comes to an end next year, Data Protection Commissioner (DPC) Billy Hawkes will not be seeking reappointment. In the nine years since he was appointed DPC—back when “Gmail was still in beta; Facebook was only open to a handful of colleges, and Steve Jobs was secretly designing a mobile phone.” Mark Milian writes that although “Hawkes says he won’t seek reappointment in 2015 when his current term as commissioner ends … he should have plenty to do before then” with Twitter and Dropbox operations in Ireland, the current examination of LinkedIn’s policies and the DPC’s placement “in the middle of a tech tug of war.” [Bloomberg BusinessWeek]

EU – Yahoo Moves to Ireland, Preps for DPC’s Audit

Yahoo will undergo a privacy audit by the Irish Data Protection Commissioner (DPC) following the company’s announcement to the DPC that it would move all of its data processing facilities in Europe to Ireland. DPC Billy Hawkes said it’s standard procedure to audit any Internet firms processing personal information in Ireland; Hawkes’ office is now completing an audit of Dublin-based LinkedIn. Hawkes has recently voiced disapproval of public-sector entities’ handling of personal data—even calling out the Department of Social Protection as being “substandard” in its protection methods. [Independent]

Facts & Stats

WW – Tech Giants Publish Updated Government Data Request Stats

Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn published new U.S. government data request statistics this week, following the resolution of a lawsuit with the U.S. Department of Justice. The reports show a dramatic uptick in NSA data requests over the past year, the report states. A representative from the ACLU said though the reports were helpful, “they’re not nearly enough” for the public to assess the scope of the requests. In other surveillance-related headlines, Wired reports on a case involving the government order to Lavabit to hand over its SSL keys, and the Chaos Computer Club is suing the German government for allegedly helping foreign intelligence services—including the NSA and the UK’s GCHQ—monitor German citizens and compromise their privacy, ZDNet reports. [CNet News]

WW – Facebook Addresses New Vulnerability

App privacy firm MyPermissions found this week what it called “a worldwide vulnerability” in Facebook’s mobile apps. Essentially, developers could force the app to crash every time a user tried to revoke that app’s permission to access information. Thus, access was left open to personal data on the tablet or phone. MyPermissions quickly contacted Facebook and Facebook quickly responded to fix the issue. “They did a fantastic job of getting in touch with us very quickly,” said MyPermissions CEO Olivier Amar. “Facebook takes this very seriously, and I’m very impressed by them.” While no official word has been issued, the report states the bug was likely fixed by end of day Thursday. [Yahoo! News]


US – Audit Finds Most Tax Apps Lacking in Privacy, Security

Hewlett-Packard (HP) has warned consumers that many mobile financial apps contain at least one privacy violation, such as unencrypted data storage and transmission and access to user contact lists and geolocation. “The bottom line is that even with all the best intentions of providing fast tax-filing assistance, mobile tax apps could put users at risk,” said HP’s Maria Bledsoe. Privacy does not appear to be designed from the beginning for many of these apps. “A lot of companies are looking at mobile apps as a fancy user interface, and they’re putting their protection on the back-end behind the firewall,” Bledsoe said, adding, “they’re not realizing yet that this is yet another attack vector and is an entry point for the hackers.” [TechCrunch]

US – Lawyer-Specific App Helps Bolster Attorney-Client Privilege

The importance of keeping communications with clients protected—in this case, in family and employment law—and an app that helps do just that. Privatus, which has been designed with lawyers in mind, is a messaging app that helps keep communications confidential and, according to the report, is not subject to legal discovery. Third parties involved in transmitting the encrypted data never see the content, and such data is not subject to subpoena, the report states. [Inside Counsel]

US – Citing Privacy Concerns, Dentist Now Accepts Bitcoin

A Florida dentist is now offering patients the option of paying for services with Bitcoin, citing recent data breaches at major retailers and “the prevalence of medical identity fraud in the healthcare industry.” Dentist Mitchell A. Pohl explained, “I try to stay on top of cutting-edge technology and thought it was only natural to start accepting Bitcoin.” Bitcoin includes “guaranteed anonymity,” the release states, allowing patients to keep Bitcoin medical payments private from their financial institutions. [PRWEB release] See also [Bitcoin Exchanges Under ‘Massive and Concerted Attack’]


WW – Pulitzers Awarded for NSA Reporting; Reforms Draw Criticism

The Washington Post and The Guardian have received the top award in U.S. journalism for their coverage of National Security Agency (NSA) surveillance practices. The Pulitzer Prizes announcement hails The Guardian for its “distinguished example of meritorious public service by a newspaper or news site through the use of its journalistic resources” and The Washington Post “for its revelation of widespread secret surveillance … marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security.” Meanwhile, The Hill reports “the secrecy surrounding (NSA) reforms is getting blowback from tech companies and privacy activists” who believe the Obama administration’s “policy app]ears to be riddled with loopholes and won’t make the Internet any safer.” [Full Story] See also: [Tech’s biggest players hire first NSA lobbyist]

WW – Twitter Wants to Tell Customers More

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.” [Full Story]


CA – Budget provides for new DNA index, other criminal-justice measures

Ottawa says it wants to create a new DNA index to help police identify human remains and bring closure to the families of people who have disappeared. The plan is among several justice-related initiatives in the 2014 budget, which also contains new funding to deal with provincial court delays and address persistent concerns about missing and murdered aboriginal women. Reforming the criminal-justice system has long been a focus for the Conservative government, which bills itself as a strong advocate for victims’ rights and tough-on-crime measures. Funding for the missing-persons index would allow police forces and coroners to submit DNA samples and other information to a central system whenever unidentified remains are found. The budget does not detail how the new index would work, but advocates suggest it could be set up to automatically test new submissions against samples given by the families of missing persons and data that is already collected from some crime scenes and convicted offenders.[Source]

Health / Medical

US – HIPAA Changes Prompt Lab Data Privacy Priority

Recent changes by the Department of Health and Human Services (HHS) give patients the right to access their laboratory information. “Now that patients are legally entitled to their medical results from the lab,” the article states, “these laboratories must take further steps to ensure data doesn’t get into the wrong hands.” According to an HHS estimate, more than 22,000 laboratories will have to spend between $2 million and $10 million combined to develop interoperability systems to allow secure access, and, each year, labs could see as many as 3.5 million requests from patients or their representatives. [InformationWeek] See also: [Unsecure faxes put health data of Albertans at risk]

US – HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth

The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.” [The National Law Review] See also: [Medical ethics overtaken by technology: Goar]

US – Gov’t Launches Contest; Google Cloud Now HIPAA-Friendly

The Office of the National Coordinator (ONC) for HIT and HHS Office for Civil Rights (OCR) recently developed new model notices of privacy practices and has launched a contest in pursuit of software developers to create an online privacy notice. The Digital Privacy Notice Challenge will award $15,000, $7,000 and $3,000 prizes for first, second and third places, respectively. The submission period closes April 7. Meanwhile, Google has announced its cloud platform will now be “HIPAA-friendly.” [Health Data Management]

WW – BlackBerry Buys Tech Company, Plans Cloud-Linked Medical Device

BlackBerry has purchased “a minority stake in U.S.-based technology company NantHealth.” The partnership will see the two companies working on products including a new BlackBerry device designed for the medical industry that will link to NantHealth’s cloud networks, the report states. NantHealth says all the infrastructure will be “government-level privacy certified and allow healthcare professionals to share information securely.” NantHealth’s Patrick Soon-Shiong said, “The future of the healthcare industry requires the ability to share information securely and quickly, whether device-to-device or doctor-to-doctor anywhere and at any time.” [The Canadian Press]

CA – Researcher-Participant Confidentiality Now a Formal Concept in Cdn Law

The successful quashing of a search warrant for confidential research records has changed the landscape for protecting research participants in Canada, says a research confidentiality expert. John Lowman, a criminology professor at Simon Fraser University in Vancouver, British Columbia, says the court decision made researcher-participant confidentiality privilege a formal concept in Canadian law. However, the privilege won’t apply automatically to all confidential data; the ruling from Quebec Superior Court underscores that it must be argued on a case-by-case basis. [Canadian Medical Association Journal]

Horror Stories

UK – Hackers Infiltrate Computer Hardware Co., Medical Group

Hackers recently accessed the details of 500,000 individuals considering cosmetic surgery. The UK’s Harley Medical Group said it believes the hack was an attempt to extort money from the company, and the information includes potential clients’ names, addresses and telephone numbers. Meanwhile, French computer hardware manufacturer LaCie is notifying customers their personal information may have been compromised after hackers used malware to infiltrate transaction data from its website. Customers who bought products between March 2013 and March 2014 may have been affected. [The Guardian]

US – Store, Healthcare Entities, Hotels, Bank Announce Breaches

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and a new report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports. [Full Story]

US – FBI Says Target Breach Just a Foreshadow; More Breaches Announced

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches. [Computerword] [PCI Standard Compliance Treated as Annual Hurdle, Not Consistent Practice] See also: [Card Breaches Pose Greatest Fraud Risk]

US – PCI SCSC Says DSS is “Solid”

The Payment Card Industry Security Standards Council’s Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year. [Computerworld]

US – Hospital Faces Complaint; Device-Makers Hacked

Dignity Health is facing a federal complaint alleging it violated its patients’ privacy by using their records to help leverage a contract dispute with the Nevada Health Insurance Coalition (NHIC). The NHIC alleges hospitals owned by Dignity contacted former patients with NHIC plans to persuade them to take action “with their health plans favorable” to the hospitals, the report states. Meanwhile, hackers infiltrated the computer networks of the country’s top medical device makers—Medtronic, Boston Scientific and St. Jude Medical, San Francisco Chronicle reports. A representative from one of the companies said an investigation is underway. [Las Vegas Review-Journal]

Identity Issues

WW – Microsoft Expands Multi-Factor Authentication to Office 365 Subscribers

All subscribers to Microsoft’s Office 365 suite now have multifactor authentication. Microsoft made the decision to expand the feature’s availability from subscribers with administrative roles to strengthen “the security of user logins for cloud services.” There is no additional cost for the authentication feature. [ZDNet] [GovTech] [CNET] []

Internet / WWW

WW – Internet Giants, Users Worldwide Take Part in “The Day We Fight Back”

Protests are happening around the world today as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation is among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants have signed on to the roster of participating groups, National Journal reports. Rep. Matt Salmon (R-AZ) says the U.S. is locked in a “fight of epic proportions” over the constitutional right to privacy, The Hill reports. [Gizmodo]

Law Enforcement

US – NYPD Ends Secret Program

Tthe New York Police Department has shut down a secret program that dispatched plain-clothes detectives into Muslim neighborhoods to spy on conversations and build detailed reports on residents. [EFF]

US – Indiana House To See Bill Restricting Police Surveillance Techniques

The House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future. [The Associated Press]

US – Missouri Considers Constitutional Protection for Electronics

Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure.. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November. [The Associated Press]

US – Law Enforcement Testing Predictive Analytics, Google Glass

The increased use of predictive analytics by law enforcement helps better identify where crimes will likely be committed, conduct investigations more efficiently and analyze behavioral trends and security threats. Meanwhile, the New York Police Department is testing out Google Glass, The New York Post reports, which could allow officers to see a suspect’s arrest record, mugshot and other profile data. “If it works, it could be very beneficial for a cop on patrol who walks into a building with these glasses on,” one source said, adding, “You can identify the bad guys immediately within seconds.” [InformationWeek]

US – California Assembly Passes Drone Bill, Including Data Retention, Use Provisions

The California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate. [The Washington Posts ]

US – Georgia General Assembly Considers Two Drone Bills

Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance. And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill. [The Associated Press]

US – Iowa Considering Drone Privacy Bill

Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations, reports the Associated Press. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion.

US – Minnesota Bill Would Regulate Police Drone Use

Legislation has been proposed in Minnesota to regulate police use of drones. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger. [The Associated Press]

US – New Hampshire Bill Would Restrict Police, Public Use of Drones

New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill. [The Union Leader]

US – Utah Sen. Introduces Drone Privacy Bill

Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent. The bill also puts limits on the retention of data obtained by drones. [Deseret News]


US – Ford Motor Co. Reveals GPS Privacy Practices

After comments from a Ford executive at the Consumer Electronics Show saying that Ford’s GPS system in its vehicles allows it to “know everyone who breaks the law” and a subsequent letter from Sen. Al Franken (D-MN), Ford sent a letter to Franken to reveal its privacy practices. Ford said it “is absolutely committed to protecting our customers’ privacy.” Ford Vice President of U.S. Governmental Affairs Curt Magleby wrote, “No location data is wirelessly transmitted from the vehicle without consumer consent,” and “Location data is used only to support customer requests for services and to troubleshoot and improve our products.” [Mashable]


SK – South Korean Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

Online Privacy

US – Ride-Sharing Suit Alleges Data-Sharing Without Consent

A lawsuit has been filed against ride-sharing company Lyft alleging it transmitted data about users to an analytics company. In a complaint filed Friday in a San Francisco federal court, Miguel Garcia says Lyft’s “decision to disclose its users’ sensitive personal information not only demonstrates a brazen disregard for their privacy rights, it also violates the California Privacy Act.” Garcia’s suit—which seeks class-action status—also names Lyft’s parent company, Enterprise Holdings. [MediaPost News]

WW – Google, comScore Team Up; Alternative Search Traffic on the Rise

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” [The New York Times]

US – CA AG to Release Best Practices for DNT Compliance

California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, the AG’s director of privacy education and policy. [MediaPost News]

Other Jurisdictions

AU – As Deadline Approaches, APPs Continue To Make Headlines

With the 13 Australian Privacy Principles (APPs) set to replace the Information Privacy Principles and National Privacy Principles in March, many articles are offering tips on what organizations should be doing to prepare. Paul Farrell details how the new laws will work, and, Sylvia Pennington writes that those organisations that don’t take “reasonable steps” to comply “face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7 million for those found to be in breach.” Pennington highlights seven tips for organisations preparing for the APPs. Meanwhile, Australasian communications firm SenateSHJ predicts privacy will be one of the top issues and trends for 2014. [The Guardian]

NZ – Government Has ‘No Choice’ Over Privacy Info

The New Zealand Parliament is considering legislation that would allow the Inland Revenue Department to collect contact details, bank account numbers and transactions of Americans living in New Zealand to pass on to tax authorities in the US. A report by the Treasury says New Zealand risks damaging its economy if does not supply the information. It says the US could block New Zealand’s financial institutions from investing in America or face a 30% penalty on any profits derived from any investments. From July this year, the US will require all overseas banks and other financial institutions to hand over private financial details of its American customers in a bid to clamp down on tax evasion. Britain, France and Germany have already agreed to supply the information and John Key said on Tuesday that New Zealand has to follow suit. [Source]

NI – Nigerian Bill Would Increase Authorities’ Access to E-Communications

Nigerian President Goodluck Jonathan has submitted a bill to the National Assembly that would allow security agents to “intercept and record electronic communications between individuals and seize usage data from Internet service providers and mobile networks.” The Interception of Electronic Communications bill states, in circumstances where the “content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a judge may on the basis of information on oath” order a service provider to turn over, record or retain consumer data or assist authorities in doing so. The penalty for noncompliance is N10million for service providers and for company directors, managers or officers, a three-year jail term, N7 million fine or both, the report states. While some see the law as a help in fighting cybercrime and terrorism, others see it as a “direct assault on some of the most important of our individual freedoms.” [AllAfrica.]

TU – Turkish Internet Bill Would See ISPs Retaining Data for Two Years

The Turkish government has proposed a bill that would give the country’s telecommunications authority the ability to block websites deemed to violate privacy and require Internet providers to retain users’ data for two years to be made available to authorities upon request. Some say the bill will bring censorship in Turkey to new heights and worsen press freedoms, but the government denies the accusations and says it will protect privacy. In this Deutsche Welle interview, Istanbul communications instructor Erkan Saka outlines what effect the law may have on citizens, saying, “The government’s access to personal data may be the worst aspect of the law.” [The Associated Press] SEE ALSO: [Turkey approves legislation to block Internet sites]

Privacy (US)

US – PCLOB Testifies Against NSA Tactics; Rand Paul Files Suit Over Them

Members of the Privacy and Civil Liberties Oversight Board (PCLOB) testified Tuesday at a Senate Judiciary Committee meeting that the NSA’s collection of phone records is unlawful. The board condemned the phone surveillance program in a report last month after a 3-2 vote. Sen. Rand Paul (R-KY) has filed a lawsuit against President Barack Obama and the heads of several intelligence agencies over the data collection. Meanwhile, Google is asking Congress to update the Electronic Communications Privacy Act so government would be required to obtain a warrant before accessing private communications. [The Hill] See also: [How Obama Officials Cried ‘Terrorism’ to Cover Up a Paperwork Error]

US – White House Publishes Cybersecurity Framework; Privacy Appendix MIA

A year after issuing an executive order, the Obama administration has released a cybersecurity framework for businesses to strengthen their networks against cyber-attacks. Developed by the Commerce Department’s National Institute of Standards and Technology, the voluntary guidance provides critical infrastructure businesses a roadmap for preventing and responding to cyber-attacks. An earlier draft of the framework was released last October, including a full section on privacy and civil liberties. Based on comments received, however, the appendix was taken out and “integrated into the main body of the framework,” one administration official said. [FierceGovernmentIT]

US – FTC Announces Settlement Over Safe Harbor Claims

The Federal Trade Commission (FTC) has settled with children’s online gaming company after it “falsely claimed to be a certified participant” in the EU-U.S. Safe Harbor agreement. In its settlement announcement this week, the FTC noted the company had let its Safe Harbor certification lapse. “This does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws,” the FTC said. The proposed settlement prohibits the site “from making similar false claims in the future,” the report states. The FTC is taking “a more proactive look at this program in terms of enforcement,” FTC Chairwoman Edith Ramirez said at an event this week. [The Hill]

US – Harm Threshold Hard to Meet; Supreme Court May Soon Clarify Class-Action Questions

Dana Post of Freshfields Bruckhaus Deringer writes about the difficulty plaintiffs face in proving “future harm” after a data breach. “Where actual harm is sufficiently alleged—such as identify theft or fraudulent charges—a claim is more likely to proceed,” Post writes. Meanwhile, a Kansas federal judge recently dismissed two proposed class-actions filed over a breach at Nationwide Mutual Insurance Co., stating the plaintiffs couldn’t prove harm . Given the class-actions filed following Target’s recent breach, there is an increased focus on class certification, writes Amy Cadle Hocevar of Squire Sanders, adding the Supreme Court may soon provide guidance on who can and cannot comprise a class member. [The Privacy Advisor]

US – Warrantless Searches of Drug Database Blocked, Judge Rules

A federal judge has ruled that the federal law enforcement’s warrantless searches of a state’s prescription drug database violate the Fourth Amendment. The Oregon Prescription Drug Monitoring Program was set up in 2009 to help pharmacists and doctors track certain prescription drugs covered by the Controlled Substances Act. The state requires law enforcement to obtain a warrant prior to access, but the U.S. Drug Enforcement Agency had argued federal law allowed it access to the data under an “administrative subpoena.” U.S. District Judge Ancer Haggerty said, “It is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records.” [Reuters]

US – SCOTUS to Hear Cellphone Privacy Cases

The Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court last Friday. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie , law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” [Politico]

US – Group to Ask Judge to Throw Out Facebook Settlement

Public advocacy group Public Citizen aims to pressure Facebook to change its practices on users’ comments, images and “likes” being used in advertisements. In a legal brief to be filed today at the Ninth Circuit Court of Appeals in San Francisco, the group will ask a judge to throw out a 2012 Facebook settlement on the matter, stating it violates laws in seven states because it doesn’t require Facebook to obtain permission from parents before using teens’ data. Meanwhile, Facebook has banned a couple of vendors from its site for privacy violations. [The New York Times]

US – “The Data Broker Industry Has for Too Long Operated in the Shadows”

Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) introduced legislation that would require data brokers to be transparent about their data collection practices and provide consumers with opt-outs and would give the Federal Trade Commission civil penalty authority to enforce it. The Data Broker Accountability and Transparency Act of 2014 (DATA Act) would also provide consumers with a means to correct data collected on them and prohibit brokers from being deceptive about their data collection. Markey said, “The data broker industry has for too long operated in the shadows, compiling dossiers on millions of Americans,” adding, “It is time to shine a light on this industry.” Last December, Rockefeller held a hearing and published a report on the industry. [Broadcasting & Cable]

US – Retailers Association Urging Privacy Self-Regulation

The leading retail industry trade group, the Retail Industry Leaders Association (RILA), is pushing for a self-regulatory approach to data privacy and cybersecurity. “Improperly conceived privacy regulations have the potential to unduly hamper the consumer experience, stifle innovation and make business practices too inflexible for customers with little, if any, additional privacy protection in return,” the RILA said in its 2014 Public Policy Agenda. Retailers have also asked financial organizations to begin issuing credit cards with chip-and-PIN technology. [The Hill]

US – License-Plate Reading Company Sues Utah

A Utah law aimed at protecting drivers’ privacy is being challenged by license-plate reading technology company Digital Recognition Network. Utah Sen. Todd Weiler (R-District 23), one of the new law’s sponsors, said, “It’s one thing to take a photo … It’s another to take photos every 80th of a millisecond and then store that data you can later be identified by.” According to the lawsuit, the company is invoking its First Amendment rights to defend its business. A Digital Recognition Network attorney said, “People tend to invoke privacy and suspend judgment … We don’t track people.” With several states considering similar legislation, the case could represent a litmus test on surveillance and First Amendment rights. [Associated Press] See also: [California: Lawsuit Filed Over License Plate Reader Secrecy]

US – IAPP Hits 15k Members

In February, the IAPP gained its 15,000th active member, a milestone that was celebrated with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis. [Full Story]

US – Sen. Wants Data Brokers to Name Clients

The head of the Senate Commerce Committee wants data brokers to disclose the names of their clients—especially those that categorize people as financially vulnerable or by their health status. Sen. Jay Rockefeller (D-WV) wrote a letter to Acxiom, Epsilon, LexisNexis, NextMark and MEDbase 200 asking that they name all of their clients for the last five years. Rockefeller’s concerns include that customers are being treated unfairly as a result of the personal data stored on them. He recently said he’s “revolted” by reports that brokers sell such lists as “genetic disease sufferers.” [MediaPos]

US – Legislators Considering Regulating Biometrics

Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems. The legislators are examining the issue in the wake of outrage from parents who learned last year that “students’ eyes were being scanned as a condition of boarding school buses in central Florida’s Polk County School District.” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children’s data is taken,” the report states. [Reuters]

US – CA AG to Release Best Practices for DNT Compliance

California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, the AG’s director of privacy education and policy. [MediaPost News]

US – Lawmakers Optimistic Data Privacy Law Will Pass

While SC Magazine reports on the current state of global data breach legislation, some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” [The HIll]

US – What the Target Incident Means for the SEC and Cybersecurity

“With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention,” write Jenner & Block’s Mary Ellen Callahan, and Elaine Wolff. Callahan and Wolff look into the SEC’s guidance on cybersecurity, including recent comments by the agency that “underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition.” The Target incident, they point out, “highlights some of the limitations in the SEC guidance.” . [Privacy Perspectives]

US – State AGs as Privacy Regulators—Q & A with Maryland AG Doug Gansler

Divonne Smoyer speaks with Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler’s focus was “Privacy in the Digital Age.” He tells Smoyer, “State attorneys general have long been champions of consumers’ privacy in the physical marketplace, where breaches of privacy are more easily contained,” explaining, “if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater.” . [The Privacy Advisor]

US – As DOT Pushes For Connected Cars, Senators Want Privacy Considered

While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. . [Politico] See also: [EU Reportedly Has Secret Plan For Kill-Switch On All New Cars]

US – Courts Tackle Privacy of Delivered Texts, Voicemails

The Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, Law360 reports that U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act. [Courthouse News Service]

US – Maine Committee Quashes Social Media Bill, Opts for Study

The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states ”several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.” [Portland Press Herald]

US – West Virginia House Passes Social Media Bill

The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees, reports The Journal. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate.

US – HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth

The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.” [The National Law Review]

US – Judge: Pedophile Investigators Can Use Metadata

A federal judge has ruled that investigators may use metadata to track sources of inappropriate photos of children. In his order, U.S. District Judge Gregg Costa wrote the metadata embedded in a photo of a four-year-old girl shared online solved the “needle-in-the-haystack problem” investigators face. The perpetrator’s attorney had argued phones retrieve GPS coordinates without notifying users, so “although the image was contraband, the legitimate expectation of privacy as to location and identity is not rendered unreasonable.” Costa disagreed, writing, “He gave up his right to privacy in that image once he uploaded it to the Internet … There is no basis for divvying up the image … into portions that are now public and portions in which he retains a privacy interest.” [Houston Chronicle]

US – Bean Wants Privacy for Rx Database

Opting for stronger privacy controls despite law enforcement concerns, the Senate Health Policy Committee has approved changes to Florida’s prescription drug database. As the News Service of Florida reports, bill sponsor and committee Chairman Aaron Bean said requiring investigators to get a court order to access the database will protect the privacy of patients. Law enforcement officials objected that the process will warn suspects of an investigation before they can be apprehended. The proposal includes a way to pay for the Prescription Drug Monitoring Program, which has had no reliable funding source: using extra funds from pharmacists’ licensure fees. There’s no companion bill in the Florida House. [Source]

Privacy Enhancing Technologies (PETs)

WW – Recent App Launches Seize Privacy as Selling Point

MIT’s Jean Yang has released a tool for app developers aimed at helping them relieve some of users’ privacy concerns when it comes to how apps use personal data. The tool reduces the probability of human error in writing code. Meanwhile, a start-up aiming to help app developers comply with COPPA rules has landed funding, and a Florida-based start-up has launched an app that allows users to chat and share photos within a private group. In fact, a number of new apps aim to allow for a more private or anonymous online experience. [MIT Technology Review]

WW – Researchers Create Android App To Show When Other Apps Track You

A team of researchers has developed an Android app to help people better understand when their location is being accessed, something that happens more often than people think. “All apps that access location need to request permission from the Android platform,” Janne Lindqvist [cq], who led the research project, said via email. “The problem is that people don’t pay attention to these default disclosures.” Android phones display a flashing GPS icon when apps are trying to access the user’s location. But few people notice or understand what the icon is telling them, the researchers found. The app they developed is designed to fix that, by making it clearer to users when other apps are accessing their location data. They tried several methods, including a message that flashes on the device’s screen reading, “Your location is being accessed by [app name].” They’re are in the process of readying their app for the Play Store. It doesn’t have an official name yet, but the working title is the RutgersPrivacyApp. “I’m happy to hear suggestions for a better one,” Lindqvist said. [Source]

WW – Apple Cracks Down on Tracking Apps; Developers Unhappy

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.” [Full Story]


US – Cybersecurity Framework Released

The White House has released the first version of the Cybersecurity Framework, a collaborative effort between the National Institute of Standards and Technology (NIST) and companies in the private sector. The guidelines in the framework are voluntary measures that organizations that support elements of the country’s critical infrastructure can use to develop their information security programs. However, because the program offers no financial incentives to help companies reduce the costs of implementing the guidelines, companies may opt not to participate. While the guidelines are voluntary for private industry, it is likely that they will be required for government contractors. [The Register] [GovInfoSecurity] [InformationWeek] [ComputerWorld] [NextGov] [Bloomberg] AND [Cybersecurity Framework]

US – Retailers to Share Cyber-Threat Data

U.S.-based retailers are planning to establish an industry group for collecting and sharing cyber-threat intelligence in an attempt to thwart cyber-attacks similar to the one that compromised Target’s customers. The National Retail Federation will form the Information Sharing and Analysis Center (ISAC) by June. ISACs generally are run by security centers that operate 24 hours per day and alert members about emerging and potential threats, the report states. There are already a dozen such ISAC groups for financial, healthcare and other service industries. One expert said, “It will allow them to talk to each other about things (that) are hitting them, to know quickly if other people are experiencing the same things and if they’ve found good defenses that they can tell each other about.” [Reuters]

US – Platform Allows for Threat-Risk Data Sharing Between Gov’t, Public

A platform for sharing cyber-threat intelligence is being opened to general availability. The Internet Identity’s ActiveTrust platform has been used for the last year by several dozen federal agencies, the report states, and aims to “leverage the convenience of social networking for information sharing while using the power of binding contracts to ensure the control of sensitive information.” The release follows an executive order last year calling for voluntary information-sharing systems between government and the private sector. [GCN] SEE ALSO: [Vancouver baby becomes first person to have three parents named on birth certificate in B.C.]

US – Privacy Appendix Dropped from NIST Framework

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls. According to the update from NIST , a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson, CIPP/US. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” [FierceGovernmentIT]


US – NYC Development Project Aims To Create Quantified Community

An urban informatics collaboration between developers of the Hudson Yards real estate project and researchers at New York University (NYU) to measure and model pedestrian flows, street traffic, air quality, energy use, waste disposal and recycling and the health and activity of laborers and residents, the report states. NYU researchers, aware of potential privacy concerns, back an opt-in regime for individuals whose activities and lifestyles would be measured. Collected data containing personal information will also be anonymized, the researchers said. The project may also help gauge people’s comfort level sharing personal information in such an environment. Meanwhile, a column for InformationWeek calls for a set of common policy principles for the Internet of Things ecosystem. [The New York Times]

US – New Technology “Can Track Everyone” for Hours at a Time

New surveillance cameras can reveal: tracking “every vehicle and person across an area the size of a small city, for several hours at a time.” The cameras are unable to record license plates or faces, but “they provide such a wealth of data that police, businesses and even private individuals can use them to help identify people and track their movements,” the report states. There are clear law enforcement benefits to the technology, as the ACLU’s Jay Stanley acknowledges, stating, “If you turn your country into a totalitarian surveillance state, there’s always some wrongdoing you can prevent.” However, he warns, “The balance struck in our Constitution tilts toward liberty, and I think we should keep that value.” [The Washington Post]

Telecom / TV

US – Verizon Ad Program Will Track Web Habits

Recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allows it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What’s your personal data worth? Are you giving it up? And if so, are you getting value in return?” [Computerworld]

US – Cable Home WiFi Defaults as Public Hotspot

A new program by Comcast adds public hotspots to its users’ home-based modems by default. Customers can turn the signal off by opting out, but, according to the report, a Comcast FAQ does not provide instructions to turn off the service manually. Customers instead must call the company to find out how. Some customers are concerned about data privacy with the new program. Comcast has said “we anticipate minimal impact to the in-home WiFi network.” [Ars Technica]

US – Gov’t Considering Industry Alternative to NSA Data Storage

The government may look to industry as an alternative to National Security Agency (NSA) storage of bulk phone records. The government’s request for information (RFI) seeks information on commercially available services from U.S. industries, the report states, quoting comments from the Office of the Director of National Intelligence that the government is investigating options that would maintain “the current capabilities of that system and the existing protections for U.S. persons” without having the government store the metadata. The RFI follows President Barack Obama’s NSA speech last month calling for a new plan to “establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.” [IDG News] [NSA Collects Less Than 30 Percent of Phone Call Metadata | ZDNet | Ars Technica ]

US Government Programs

US – As DOT Pushes For Connected Cars, Senators Want Privacy Considered

While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. Editor’s Note: Future of Privacy Forum’s Joshua Harris wrote about the issue of privacy and connected cars in a recent post for Privacy Perspectives. [Politico] SEE ALSO: [How Big Brother’s going to peek into your connected home]

WW – Snowden Used Cheap Web-Crawling Software to Scrape NSA Data

Intelligence officials looking at how Edward Snowden gained access to “a huge trove of the country’s most highly classified documents” say he used inexpensive, widely available software to do so. Snowden used “web crawler” software to scrape data out of systems as he completed his daily tasks as a technology subcontractor for the NSA in a process that a senior intelligence official called “quite automated.” The NSA is currently collecting data on about 30 percent of phone calls in the U.S. [The New York Times] SEE ALSO: [Footage released of Guardian editors destroying Snowden hard drives | Video]

US – Reactions to Obama’s Plans for NSA Reform

Reaction to President Barack Obama’s speech announcing plans for National Security Agency (NSA) reforms on Friday swirled over the weekend. For the next stage of the reform process, much reform would have to come from Congress—an institution already divided—meaning “the future shape of the surveillance apparatus … remains far from certain.” The Times also broke down the proposed changes in relation to the NSA review panel recommendations. Obama’s speech also did little to reassure private industry. “The most interesting part of this speech was not how the president weighed individual privacy against the NSA,” said Indiana University Prof. Fred Cate, “but that he said little about what to do about the agency’s practice of vacuuming up everything it can get its hands on.” On Sunday, NBC’s “Meet the Press“ devoted a segment to the future of the NSA programs. And, according to a new study, the NSA revelations could cost the U.S. cloud computing industry between $22 billion and $35 billion. [The New York Times]

US Legislation

US – DMA Says Data Broker Bill Would Weaken InfoSec

The Direct Marketing Association (DMA) believes a new bill introduced by Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) would create a security headache for companies that collect and share consumer data. DMA Senior VP of Government Affairs Peggy Hudson said, “Imposing an access-and-correction regime on marketing data is not necessary to protect consumer privacy, and doing so would make it harder for companies to keep data secure at a time when consumers are more concerned about identity theft than ever before.” Rockefeller has called the data broker sector a “ booming shadow industry“ and recently said, “Consumers deserve to know what information about their personal lives is being collected and sold to marketers by data brokers.” [AdAge]

US – FTC Approves COPPA Self-Reg Program

The Federal Trade Commission (FTC) has approved the kidSAFE Seal Program “as a safe harbor program under the Children’s Online Privacy Protection Act (COPPA) and the agency’s COPPA Rule.” The FTC is required by COPPA to review and approve all self-regulatory programs that would serve as safe harbors, according to an FTC press release. The commission determined in a 4-0 decision that the kidSAFE program provides “the same or greater protections for children” as those required in the COPPA Rule. [FTC Press Release]

US – Sens. Introduce Data Breach, Privacy Rights Legislation

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the Federal Trade Commission to release a set of security standards for businesses holding consumer data. Sens. Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced the Personal Data Protection and Breach Accountability Act prior to Tuesday’s NTIA hearing. The act aims to deter preventable breaches, minimize consumer harm and promote information-sharing between federal agencies, law enforcement and the private sector, reports Dark Reading. Sen. Robert Menendez (D-NJ) has announced plans to introduce the Commercial Privacy Bill of Rights. The bill aims to “give consumers the protections they need, create common-sense accountability measures for businesses so our personal information is not held hostage to the power of our technology, place limits on both the type of information businesses may collect and limit how long they can retain that information,” Menendez said in his announcement.

US – California AG Sues Over Delayed Breach Response

The California Attorney General’s Office (CA AG) has filed a complaint against Kaiser Foundation Health Plan, Inc., saying the company’s data breach and subsequent delayed notification violate the state’s unfair competition law. The CA AG alleges that prior to the completion of Kaiser’s analysis of the breach, ”it had sufficient information to notify at least some affected individuals,” Navetta writes, adding, “In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice ‘in the most expedient time possible and without unreasonable delay’ under California’s breach notice law.” [InfoLaw Group]

US – California Assemblywoman Proposes Victim Privacy Bill

Assemblywoman Toni Atkins (D-San Diego) has introduced AB 1623, which would ensure that victims of domestic violence are not denied help at family justice centers if they are undocumented immigrants or have a criminal history. The bill would also mean family justice centers would not be allowed to share certain information on victims with law enforcement or other agencies without the victims’ consent. [The San Diego Union-Tribune]

US – Kentucky Bill Would Prohibit Selling of Student Data

The Kentucky Senate Education Committee has unanimously approved a bill that would prevent the sale of student data by technology companies, require school districts to post lists of all third-party web-based services they use and provide for agency audits of schools’ data collection practices. Sen. Jimmy Higdon (R-Lebanon) notes that these protections are similar to those used to protect government data in the state, adding, students do not “have a choice when it comes to the online services they use … No company in a position to store private, school data should be able to sell that data for profit.” [The Associated Press]

US – Minnesota DPS Privacy Policy Brings Concerns for Insurance Costs

The Minnesota Department of Public Safety’s (DPS) new privacy policy means that it will not share drivers’ data in bulk anymore, as all other states do. The DPS will now charge $5 per record and records will only be available during business hours through a secure online system. While the state says, “This will increase data security, improve accountability and ensure that DPS will be able to audit all users,” Mark Kulda of the Insurance Federation of Minnesota says these are costs that will be passed on to customers and has concerns that residents will not be informed of recalls or be able to prove driving history for better insurance premiums. [KAALtv

US – New Hampshire Considering Student Social Media Bill

A New Hampshire Senate committee held a hearing on Tuesday to consider a bill that would prohibit colleges and universities from asking for access to students’ and prospective students’ social media sites [Associated Press].

US – NJ Bill Would Require Cos to Contact Consumers Directly After Breach

New Jersey Assemblywoman Linda Stender (D-Union) has introduced legislation to toughen data breach notification standards by removing the ability of companies to use “substitute notice” as a means to notify customers affected by a large data breach, among other provisions. A New Jersey currently requires companies to notify residents upon reasonable belief that an unauthorized person accessed their data but provides for notice in the form of “contacting statewide media and posting a notice on its website” in the event of breaches affecting more than 500,000 people or costing more than $250,000. [Law360]

US – Montana Allows Review of Post-Suicide Medical Records

In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana’s Suicide Prevention Coordinator Karl Rosston says “None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We’re not going to take one isolated incident and say ‘this is what happens’.” [KRTV]

US – South Dakota House Considering Student Privacy Bill

South Dakota’s House Education Committee will revisit SB 63 this week to protect the privacy of students who take educational assessments. South Dakota Secretary of Education Melody Schopp wrote a letter to U.S. Education Secretary Arne Duncan explaining the state cannot and does not link identifiable information to test scores. “We are prohibited to share any personally identifiable information with the federal government,” Schopp said, adding that the education department is in favor of the privacy policy. [South Dakota Public Broadcasting]

US – CA Senate Passes Bill To Protect, Limit Online Data Collection, Retention

The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons. [the Associated Press]

US – Nebraska Citizens Voice Privacy Concerns Over Wages Bill

The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. The listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service. [The McCook Daily Gazette]

Workplace Privacy

WW – Virtual Boss Keeps Workers on a Short Leash

Gr8Apes writes “Hitachi has created a ‘perfect virtual boss.’ The company is manufacturing and selling a device intended to increase efficiency in the workplace called the Hitachi Business Microscope (paywalled). ‘The device looks like an employee ID badge that most companies issue. Workers are instructed to wear it in the office. Embedded inside each badge, according to Hitachi, are “infrared sensors, an accelerometer, a microphone sensor and a wireless communication device.” Hitachi says that the badges record and transmit to management “who talks to whom, how often, where and how energetically.” It tracks everything. If you get up to walk around the office a lot, the badge sends information to management about how often you do it, and where you go. If you stop to talk with people throughout the day, the badge transmits who you’re talking to (by reading your co-workers’ badges), and for how long. Do you contribute at meetings, or just sit there? Either way, the badge tells your bosses.’“ [Source] SEE ALSO: [Background checks for jobs raise privacy concerns] and [FL: Former Mount Sinai Medical Center Temporary Employee Sentenced In Identity Theft Tax Refund Scheme Involving The Theft Of Patient Information]

CA – Opinion: Employee PI Decision Noteworthy

Meghan Cowan examines a recent decision by the Office of the Alberta Information and Privacy Commissioner on the collection, use and disclosure of employees’ personal information. Cowan suggests the December decision, which stems from a complaint an employee filed under the Personal Information Protection Act (PIPA), “provides a noteworthy lesson for employers when managing sensitive employee medical information.” The information in question related to medical leave and disability benefits, the report states, meeting the definition of personal employee information under PIPA. “This decision is significant not only for delineating the consent and disclosure requirements around employee medical information in Alberta, but for privacy legislation in other Canadian jurisdictions,” Cowan writes. [Canadian Employment Law Today]



Privacy News Highlghts 16-31 January 2014


WW – As Facial Recognition Uses Expand, Privacy Concerns Abound

Companies are working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. [The New York Times]

WW – Facial Recognition Databases Demand “Responsible” Actions

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.” [The Atlantic]


CA – Privacy Commissioner Provides Recommendations to Parliament for the Protection of Privacy Rights In National Security Efforts

On the occasion of International Data Privacy Day, a special report to Parliament by the Office of the Privacy Commissioner of Canada, with specific recommendations to address current issues surrounding privacy and national security, was tabled in Parliament. Building from consultation with a range of experts and civil society, the Office’s report makes a series of recommendations for Parliament to consider in order to strengthen privacy protection.   Specifically, it suggests ways to increase transparency, modernize privacy laws and bolster Parliament’s oversight role. [Source]

CA – Canadian Spy Agency Gleaned Passengers’ Data From Airport’s Wifi

A federal electronic spy agency tracked thousands of people who passed through a Canadian airport using information gleaned from free wireless Internet service. Citing a secret document leaked by former U.S. security contractor Edward Snowden, CBC reported that Communications Security Establishment Canada (CSEC) collected data from passengers’ smartphones and laptops over a two-week period and tracked those devices for a week or longer afterward. CSEC is tasked with collecting foreign intelligence under law and can’t target Canadians, or anyone within Canada, without a warrant. CBC quoted several experts who said CSEC’s actions were “almost certainly illegal.” The document leaked is a 27-page presentation on a “trial run” of the program, dated May 2012, reported the CBC. The technology was to be shared with the so-called “Five Eyes” spy partnership composed of Canada, the U.S., Britain, New Zealand and Australia. [Source]

CA – Alberta to Update Privacy Law

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional.” The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government’s intention to pass the amendments early in the fall 2014 session to comply with the court’s ruling,” Service Alberta’s Gerald Kastendieck said. The amendments will “focus on unions and picketing,” the report states, noting, “There won’t be a general review of the 10-year-old legislation this year.” [The Canadian Press]

CA – NF Premier Calls for Changes to Restrictions

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended.” Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports. [The Globe and Mail


WW – Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. [Privacy Tools] [DATA PRIVACY DAY: 56% are worried about the internet eroding their personal privacy]

WW – Which Information Do Consumers Most Closely Guard?

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create With Context (CWC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50% off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CWC’s Ilana Westerman and Gabriela Aschenberger found, including how “97% of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” [Privacy Perspectives] [Has a jealous lover hired hackers to get into your e-mail?] []

US – E-Receipts Helping Retailers Do More than Save Paper

Paper receipts are headed toward extinction, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83% of retailers offering e-receipts did so to obtain a customer’s e-mail address. [Today]

US – Ad Agencies More Worried About Scale than Privacy

At a recent meeting of digital ad agencies, representatives indicated a lack of concern about the future safety of customer data, despite recent hacks at Target, Neiman Marcus and Snapchat. The agencies said clients are excited about hyper-location data tools. Asked what the biggest hurdles may be to marketing on mobile and whether privacy and security were top-of-list, agencies instead cited a need for bigger audiences and getting technology startups to explain how their tracking products work. The director of mobile strategy at Horizon Media said while clients are excited about new data, they rely on the ad agencies to be sure privacy issues are addressed. [Forbes]


US – White House Launches Future of Privacy Review

John Podesta, a counselor to the president, announced in The White House Blog he will lead a review on how “Big Data will affect the way we live and work; the relationship between government and citizens, and how public and privacy sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy.” Podesta will be joined by the secretaries of commerce and energy as well as science and economic advisors and “other senior government officials” to “help identify technological changes to watch; whether those technological changes are addressed by the U.S.’s current policy framework, and highlight where further government action” may be needed. [White House blog]

US – Justice Dept. to Allow More Transparency; More Surveillance Programs Revealed

Ahead of President Barack Obama’s annual State of the Union speech on what many in the privacy community know as Data Privacy Day, the Justice Department agreed to let technology companies disclose more data to the public on national security requests. The agreement will allow companies—including Facebook, Apple, Microsoft, Google and Yahoo—to publish additional aggregate information, including, for the first time, Foreign Intelligence Surveillance Court requests. This roundup for The Privacy Advisor looks into the agreement and what’s expected from Obama’s State of the Union address tonight, as well as new documents leaked by Edward Snowden on the U.S. NSA and UK’s GCHQ surveillance programs. [Privacy Advisor] See also: [Federal government tweets take weeks to produce]

US – State Department Inspector Finds Security Issues Remain Unaddressed

According to an audit report from the Office of Inspector General (OIG), there are “significant and recurring weaknesses in the Department of State information system security program.” The IG was critical of the department’s failure to address security problems found in previous audits. [GovInfoSecurity] [] See also: [B.C. auditor-general warns of cyberthreats]

CA – Spy Agency’s Work With CSIS, RCMP Fuels Fears of Privacy Breaches

Canada’s foreign-intelligence surveillance agency received nearly 300 requests for assistance from domestic security agencies over a four-year period – a degree of collaboration that is raising alarm bells for privacy advocates. A disclosure from Communications Security Establishment Canada, obtained by The Globe through an Access to Information request, shows the Canadian Security Intelligence Service sought help from CSEC 205 times between 2009 and 2012. The RCMP made 85 such requests during the same time span. These “support to lawful access” figures – which have never been released before – show that close collaboration with other federal agencies is routine for Canada’s electronic-eavesdropping agency.Watchdogs and judges have recently raised concerns that ill-considered intelligence collaborations can lead to illegal wiretapping, wrongful arrests – or even violence against travelling Canadian suspects who are red-flagged to intelligence agencies operating overseas. On Tuesday, the Office of the Federal Privacy Commissioner called upon CSEC to “proactively disclose” just how much it is working with the other federal agencies. [Source] See also: [REPLAY: Ontario Privacy Commissioner Ann Cavoukian’s International Privacy Day 2014 Event “Big Surveillance Demands Big Privacy –

Enter Privacy-Protective Surveillance“] [Source] and [NSA Spying Sends Data to Canada]

US – DHS Warns Contractors of Data Breach

The US Department of Homeland Security (DHS) has notified contractors that sensitive data belonging to their companies, including private documents and bank account information, were compromised in a security breach. The incident affects at least 114 companies that bid on a DHS Science and Technology Division contract last year. [DarkReading] [KrebOnSecurity]

US – Website Marketing Driver Records Scrutinized

Did you know the state sells your driving information and has been doing so for decades? Now the process is ready to be brought online and that’s raising concerns about identity theft. “We’re literally selling the personal information of people who register their vehicles in Connecticut to private insurance companies,” said Sen. Robert Kane, R-CT. Kane said he’s worried about what will happen when the state puts all of that information online. In the past, companies would have to request the information they need and would receive it in large data files. Last year the state made more than $20 million by selling driver’s license information to companies. [Source] See also: [Site lets Swedes snoop on friends’ criminal past]


WW – Yahoo Resetting Passwords After Compromise Attempts

Yahoo has reset passwords for Yahoo Mail accounts that appear to have been compromised. Yahoo said that the attackers had likely stolen usernames and passwords from a third-party database and attempted to use the information to log into Yahoo Mail accounts. Users whose accounts were affected received messages from Yahoo notifying them of “unusual activity on the network.” [Internet Storm Center] [CNN] [ComputerWorld] [TheRegister] [Ars Technica] and: [US: No sixth sense: ‘123456’ is worst password of 2013] and also: [How Canada’s Anti-Spam Enforcers Will Cooperate, Coordinate, Share Information]

Electronic Records

US – Students Expelled After Hacking Into School Computers

A California high school has expelled 11 students “accused of using keyloggers to spy on their teachers’ computer systems, infiltrate the network and change their grades electronically”—the maximum discipline penalty allowed by the education code. The students allegedly worked with a tutor to learn how to hack into Corona del Mar High School’s systems with the goal of changing their grades and stealing tests, the report states, noting police are seeking to interview the tutor. Officials have said they are unsure how many grades were changed, but a total of 52,000 grades issued over a one-year period are being audited. [CNet]

US – ND Leads Nation in Electronic Medical Records Use

In North Dakota, medical records are more likely than other states to be stored electronically rather than in a paper folder. A report this month from the national Centers for Disease Control and Prevention said North Dakota health care providers are ahead of the rest of the country in adopting electronic systems to manage patient records. According to the report, 82.9% of North Dakota’s office-based physicians use a basic electronic health record system. The next highest rate was in Minnesota, with 75.5%. New Jersey’s rate was the lowest, at 21.2%. The study defines a basic records system as one that allows doctors to access patient history, demographics, patient problems, clinical notes, medications and allergies, test results and other information. The national average for adoption of basic systems was 48% in 2013. The average for doctors using any type of electronic records, other than for billing, was 66%. North Dakota is part of a cluster of states with significantly higher than average adoption, including South Dakota, Minnesota, Iowa and Wisconsin. [Source]

NZ – Patients to Run Health Care Online

The face of New Zealand healthcare will change before the year is out as Kiwis are signed into patient portals allowing them to self-manage their medical records, book doctor appointments and chat to their GP online. The new multi-million dollar electronic healthcare system is a hybrid of internet banking and social networking – giving patients a secure account to view their medical records and test results, but also a private platform to instantly message their GP. National health IT board director Graeme Osborne said the patient portal service was “ground-breaking”. It would empower Kiwis to take control of their own healthcare. More than 50 per cent of the country’s general practices would be using the service by the end of 2014, he said. [Source]


WW – Cryptographers, Others Sound Off on NSA Programs

There is pressure on the U.S. government to reform the NSA’s surveillance programs, most recently from more than 50 cryptography experts in an open letter published this week. “The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy and the U.S. technology sector is readily apparent,” the letter reads. Meanwhile, the Republican Party passed a resolution at its annual meeting on Friday condemning the NSA’s massive collection of data. Stanford Center for Internet and Society’s Jennifer Granick writes on the Privacy and Civil Liberties Oversight Board’s report that NSA data collection is illegal. [The Verge]

US – Lavabit Case Highlights Legal Fuzziness Around Encryption Rules

The now-defunct e-mail encryption service Lavabit founder Ladar Levison’s fight against contempt-of-court orders. The case involves Levison’s refusal to hand over data on a particular user—rumored to be Edward Snowden—when the government came knocking for it; specifically, they wanted Levison’s SSL keys—which unencrypt encrypted data. Three judges for the Fourth U.S. Circuit Court of Appeals in Virginia are hearing the case, one of whom criticized the FBI agents involved in the case for not working with Lavabit to overcome the technical obstacles that delayed Levison’s eventual compliance. The government does not plan to prosecute Levison for obstruction of justice for shutting down Lavabit, the report states. [CIO] See also: [Footage released of Guardian editors destroying Snowden hard drives] [Footage of the hard drives being destroyed]

EU Developments

EU – German Court of Justice Clarifies Rules on Credit Scoring, Access

Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. Hunton & Williams’ Privacy and Information Security Law Blog reports that “while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score.

EU – Making a Privacy Law for the 21st Century

With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, who reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.” [Privacy Perspectives] See also outgoing European Data Protection Supervisor Peter Hustinx has agreed to stay on the job until October after the European Commission rejected the candidates seeking to replace Hustinx. [Confusion over EU data protection watchdog resolved]

UK – Court Confirms Privacy Tort and Addresses Meaning of Personal Information

On January 16, 2014, the English High Court of Justice issued reasons in Vidal-Hall v. Google Inc. relating to an appeal of a Master’s decision to allow Google to be served outside of the jurisdiction in relation to claims brought in connection with tracking and collating, information relating to the claimants’ internet usage through the claimants’ Apple Safari internet browser. Importantly for the UK, the High Court explicitly recognized the tort of misuse of private information (at para. 70). Perhaps more far-reaching, at least from the perspective of the ongoing debate in Canada and elsewhere concerning the boundaries of what is “personal information”, the High Court addressed the argument that the information generated by the claimants’ searches and used in interest-based advertising was not really personal information. Spoiler alert. The court followed similar logic as the Office of the Privacy Commissioner of Canada in its online behavioural advertising guidance. [Source]

US – Regulation Won’t Be Adopted Before May Elections

With several member states aiming to water it down, the revised data protection law will not be adopted before European Parliament elections in May. EU Justice Commissioner Viviane Reding and the lead negotiators on the package agreed to set the deadline for before the end of the year. German Green MEP Jan Philipp Albrecht said the timetable established seeks a mandate for negotiations in June, adding, “If it will be possible to stick to this timetable, this would be good news and important.” The member states aiming to soften the regulation—UK, Denmark, Hungary and Slovenia—would prefer to see it turned into a directive instead. [EUObserver]

US – Reding Calls for Billion-Dollar Fines

European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously., meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.” [BBC News]

EU – EU Has Secret Plan for Police to ‘Remote Stop’ Cars

The EU is secretly developing a “remote stopping” device to be fitted to all cars that would allow the police to disable vehicles at the flick of a switch from a control room. Confidential documents from a committee of senior EU police officers, who hold their meetings in secret, have set out a plan entitled “remote stopping vehicles” as part of wider law enforcement surveillance and tracking measures. “The project will work on a technological solution that can be a ‘build in standard’ for all cars that enter the European market,” said a restricted document. The devices, which could be in all new cars by the end of the decade, would be activated by a police officer working from a computer screen in a central headquarters. Once enabled the engine of a car used by a fugitive or other suspect would stop, the supply of fuel would be cut and the ignition switched off. The technology, scheduled for a six-year development timetable, is aimed at bringing dangerous high-speed car chases to an end and to make redundant current stopping techniques such as spiking a vehicle’s tyres. The proposal was outlined as part of the “key objectives” for the “European Network of Law Enforcement Technologies”, or Enlets, a secretive off-shoot of a European “working party” aimed at enhancing police cooperation across the EU. [Source]

Facts & Stats

WW – A New Handy Guide to Global DPAs

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 2.0 just in time for Data Privacy Day. [The Privacy Advisor]


WW – Microsoft Hints Overseas Users Can Store Data Outside U.S.

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland. [Reuters]


CA – Law That Hides Massive Health Privacy Breach from Patients Is Useless

When nearly one-sixth of all Albertans have their medical information stolen, and nobody says a damn thing about it for nearly four months, a lot of people are going to be very angry. Fred Horne, for instance. He’s the health minister. He was also a patient at a Medicentres clinic, the group whose information technology “expert” left a laptop loaded with 620,000 patient records lying around. He makes the crucial point: “We need to think about who was left out of this equation — the patient.” Patients and the public should have been told within days — by the Edmonton police, the Medicentres group and most certainly by Alberta’s Information and Privacy Commission, which was informed right at the start but sat on the information. [Source] [Four other cases of stolen health data in Alberta] [Minister ‘outraged’ over stolen laptop holding 620,000 Albertans’ health data]

CA – Former Inmate Denied Access to Own Medical Records

A former Ottawa-Carleton Detention Centre inmate who was allegedly viciously assaulted by a guard has been denied access to his own medical records. The Ministry of Community Safety and Protective Services refused to provide Jean Paul Rheaume with his medical records from the jail on the basis that the information was a record relating to the ongoing prosecution of his alleged attacker. The Information and Privacy Commissioner of Ontario upheld the decision. This week, Rheaume requested a divisional court overturn that decision. In a court filing seeking to overturn the ruling, Rheaume’s lawyer argued the effect of the Information and Privacy Commissioner’s ruling “is the perverse result that a victim of crime is denied access to his medical records.” [Source]


US – Will Transparency Calm Concerns Over Government Access?

In light of the agreement by the U.S. Department of Justice to allow Internet companies to disclose more aggregated data on law enforcement requests for access to user information, Hogan Lovells’ Christopher Wolf delves into whether increased transparency will quell concerns over government access. Wolf writes, “The transparency reports, which soon will have greater granularity, should help the world understand that the U.S. is hardly alone in its national security practices and that reform needs to be viewed as a global concern.” [Privacy Perspectives]

US – DOJ Relaxes Gag Order on Government Data Requests

In response to legal challenges from tech companies, the US Justice Department (DOJ) has agreed to relax the gag orders that accompany certain government requests for data. Companies are now permitted to release information about the numbers of National Security Letters (NSLs) and Foreign Intelligence Surveillance Court (FISC) requests they receive; those numbers must be reported within ranges of 1,000. The companies may also release information, again in the broad ranges, of the number of customer accounts affected by the requests. If the companies choose to combine the data for NSL and FISC requests, they may publish within ranges of 250. The data may be published every six months with a six-month delay. The DOJ has also imposed a two-year delay on reporting statistics from the date “the first order … is served on a company for a platform, product, or service … for which the company has not previously received such an order.” [WashPost] [NYTimes] [WIRED] [FISA Court Notice]


SK – Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Bloomberg reports on a revised privacy lawsuit against Google. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. Thursday’s revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Full Story]

WW – Second-Hand Chrome Extensions Are Being Turned into Adware

At least two Chrome browser extensions that were sold have been used by their new owners to launch aggressive advertising campaigns. A developer reported last week that after he sold his extension, it was turned into adware. That extension had more than 30,000 users before it was sold. Another developer reported a similar incident. Chrome extensions are updated in the background without user interaction unless the extension’s permissions are changed. The adware, which works in the background to inject specific ads into the sites users visit, violates the Chrome Web Store developer program policies. Google has banned the two now-questionable extensions from the Chrome Store. It is possible that second-hand extensions could be used for more malicious purposes. [ComputerWorld] [ZDNet] [LATimes]

Health / Medical

US – Is Policy Needed for “Personal Representative” PHI Disclosures?

Federal health IT advisors are struggling with whether new policies are needed to address an ongoing and increasingly common HIPAA issue likely to grow as baby boomers age. The issue at hand is caregiver, family member and “personal representative” access to patients’ personal information, the report states; HIPAA’s privacy rule requires covered entities to provide someone authorized under state law to act on a patient’s behalf with access to their personal health data. The Health IT Policy Committee’s Privacy & Security Tiger Team Co-Chair Deven McGraw discussed whether policy should be developed on the matter or if “best practices” recommendations would suffice. [Government Health IT]

US – World Privacy Forum Releases New HIPAA Report

The World Privacy Forum (WPF) has released a new report on a recently added option within the Health Insurance Portability and Accountability Act (HIPAA) on the right to restrict disclosure. Co-written by WPF Founder and Executive Director Pam Dixon and privacy and information policy consultant Bob Gellman, Paying out of Pocket To Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right To Restrict Disclosure looks into this new right as it “will take effort and planning for patients to utilize effectively,” the WPF press release states. [WPF] [AB: Former privacy czar says tougher laws needed in wake of latest health breach]

Horror Stories

US – OfficeMax Blames Data Broker for “Daughter Killed” Mailing

In one of the latest developments in the headline-making story of a targeted mailing sent to a Chicago man with the disturbing words “Daughter Killed in Car Crash or Current Business” as part of the address OfficeMax has said it “unintentionally bought (that information) from a third-party data broker.” OfficeMax requested a mailing list from the broker “for Businesses, Small Offices and Home Offices … NO personal information qualifiers were part of our request; we were not seeking personal information and did not ask for it,” a company spokesperson wrote. “As an additional measure to prevent future mailing errors, we have upgraded the filters designed to flag inappropriate information.” [Forbes]

US – Target Breach Used Stolen Vendor Access Credentials

A Target spokesperson said that the breach that compromised payment card details and personal information of millions of the retailer’s customers came about through credentials stolen from a vendor. A preliminary look at the malware used in the breach suggested that the attackers may have exploited a vulnerable feature in IT management software on the company’s internal network. [GovInfoSecurity] [ZDNet] [Ars Technica] [ComputerWorld] [KrebsOnSecurity] [InformationWeek] See also: [Visa Issued Alerts Last Year About Type of Attack Used Against Target and Neiman Marcus] and [Laptops Stolen From Coca-Cola Contained Unencrypted Employee Data] and [Stolen Laptop Contains Health Data of 620,000 Alberta, Canada Residents] and [Personal information from 100 million South Korean credit cards stolen]

US – LabMD: FTC Investigation Forced Closure

Atlanta-based LabMD shut down its operations this week due to the ongoing FTC investigation over a data breach there, Computerworld reports. LabMD CEO Michael Daugherty says the FTC’s investigation is an “abuse of power” and has accused the FTC of overstepping its authority in its pursuit of LabMD. He added that the small company is “exhausted” from the last four years, during which the FTC has subpoenaed dozens of LabMD employees, required executives to travel to give depositions and requested information from the company. [ComputerWorld]

Identity Issues

US – Twitter Account Lost to Extortionist

A California man claims to have lost his Twitter account to an extortionist who was allegedly holding the man’s other online accounts and services hostage. Naoki Hiroshima has been using the @N Twitter account since 2007 and says that there have been numerous other attempts to steal it. The extortionist managed to gain control of Hiroshima’s domain name and through that, was able to control Hiroshima’s email. Hiroshima surrendered the Twitter handle to regain control of the domain names, and was also able to get the hacker to tell him how he managed to gain control of the domain names in the first place. [TheRegister] [ArsTechnica] [eWeek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [FTC]

US – Verizon Releases First Transparency Report

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012. [Source]

Intellectual Property

US – Farmers Warned About Sharing Data with Monsanto, Others

Services Midwest farmers can sign up for allowing “big agribusiness” to collect data “minute by minute, as they plant and harvest their crops … promising to mine that data for tips that will put more money in farmers’ pockets.” However, the American Farm Bureau Federation is warning farmers to be cautious, the report states, suggesting such services “could threaten farmers’ privacy and give the big companies too much power.” One participant in an experimental data-sharing system from Monsanto said, “My theory is, if they have my information, and they’re out there working with me, I’m hoping that they’re going to bring me a better product.” [NPR] See also: [This Google Glass user went to the movies. Then he got interrogated for about four hours]

EU – Study Says France’s Three-Strike Policy Has Not Curbed Piracy

A study of French Internet users found that the country’s “three-strikes” anti-piracy policy has had little to no effect on users obtaining pirated content. The policy “has not deterred individuals from engaging in digital piracy [nor has it lessened] illegal activity of those who did engage in piracy,” according to the report’s authors, researchers at the University of Delaware and the University of Rennes. The report does mention another study that found a 20-25 percent increase in sales of French music on iTunes shortly before the law took effect, but they say it was due to “public education efforts” instead of the law itself. [ArsTechnica] [SSRN]

US – Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA

The US District Court for the Northern District of California has dismissed a lawsuit against Keith Freedman, who was accused of accessing and copying information from his former employee’s servers. The suit alleged that Freedman had violated provisions of the Computer Fraud and Abuse Act (CFAA). Freedman used valid credentials to access the information, according to the court, which does not constitute a violation of the CFAA. Freedman was accused of accessing his former employer’s data while using access credentials issued to one of the firm’s customers while Freedman was doing work for both companies. US Magistrate Judge Paul Grewal wrote, “CFAA regulates access to data, not its use by those entitled to access it.” [ComputerWorld] [CourthouseNews]

EU – Dutch Court Lifts Ban on the Pirate Bay

A Dutch court has lifted a ban on The Pirate Bay, allowing Internet service providers to permit users to access the torrent site. The Dutch Court of Appeals in The Hague determined that a ban on The Pirate Bay had proven to be ineffective at stopping piracy. The court found that while the block order reduced traffic to The Pirate Bay, torrent levels did not decline. Users determined to obtain copyrighted material illegally were finding ways of obtaining the content. The ruling also means that the anti-piracy group that brought the original case must now pay ISPs 400,000 euros (US $542,000) in legal costs. That group, Brein, is considering taking the case to the country’s Supreme Court. [BBC] [SC Magazine]

Internet / WWW

WW – New Whitepapers on Cloud Computing

The IAPP has recently posted four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. [IAPP Resource Center]

WW – IAPP Releases Two New Whitepapers for #DPD2014

Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers“ is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense “ was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. [Privacy 101 for SMEs]

WW – At World Economic Forum, Industry Leaders Call for New Privacy Rules

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system.” Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100% privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch’s call this week for “a clear regulatory framework to keep intelligence services in check.” [CNET News] See also: [Exit records: Crossing the border can be a matter of public concern] [Canada, U.S. to share names from border crossings] and [Dear America, I Saw You Naked]

WW – Edward Snowden Has Been Nominated for a Nobel Peace Prize

Edward Snowden spent the last year revealing some of the government’s most tightly held secrets, kicking off a massive debate about the proper role of America’s intelligence services. Now, a pair of Norwegian politicians have nominated the NSA leaker for a Nobel Peace Prize. In their nomination letter, Baard Vegar Solhjell and Snorre Valen, who hail from the Socialist Left party, said Snowden’s revelations “contributed to a more stable and peaceful world order.” [Source] See also: [Snowden Calls Russian-Spy Story “Absurd” in Exclusive Interview]

US – How To Solve Obama’s Big Data Challenge

Speaking to a group of students earlier this week, White House Deputy Chief Technology Officer Nicole Wong discussed the challenges of addressing privacy when utilizing Big Data and highlighted President Barack Obama’s recently announced Big Data study to be headed by John Podesta. By making these recent remarks and initiating this new study, “President Obama grabbed the Big Data bull by the horns,” write Future of Privacy Forum Co-Founders Jules Polonetsky, Christopher Wolf and Omer Tene. These three privacy experts lay out the potential privacy concerns while addressing “the profound impact of new technologies on Big Data business opportunities,” adding, “Big Data was all the rage in privacy circles in 2013, and now it is achieving appropriate, broad policy attention.” [Privacy Perspectives]

Law Enforcement

WW – The All-New IAPP Mobile App Privacy Tool

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. You may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data. The IAPP’s Westin Research Center has launched a new tool to help with compliance requirements imposed by regulators and trade associations in both the U.S. and Europe. [Comparison of Mobile Application Guidelines Tool]

US – Officials Want Rules on Data Breach Disclosures

U.S. law enforcement officials have called on Congress to draft stricter requirements for how retailers and other private businesses should report large breaches of personal and financial data. FBI Director James Comey said political uproar over surveillance and the Edward Snowden leaks have complicated discussions about how to fight consumer data breaches, the report states. “There is the threat of fraud and theft because we’ve connected our lives to the Internet,” Comey said. “We need to make sure that the private sector knows the rules of the road and how we share that information with the government.” Meanwhile, Sen. Jay Rockefeller (D-WV) has qualms with letting a third party store NSA telephone metadata. [Reuters]

UR – Gov’t Locates Riot Participants, Sends Text Warnings

Efforts by the Ukrainian government to quiet violent protests include a text message sent to mobile phone users in the vicinity of the clashes reading, “Dear subscriber, you are registered as a participant in a mass riot.” The interior ministry has denied involvement in sending the texts, as have two telephone providers. Another provider said, “We strictly observe the confidentiality of our users, their telephone numbers and locations.” The interior ministry did say it is using video footage to arrest the most active participants in the riot. The protests were sparked by new laws on public gatherings. [The Guardian] See also: [Canadian police forces looking to arm officers with cameras]

US – San Jose Considers Tapping Private Surveillance Cameras

Under a new proposal to be heard by San Jose’s City Council next week, police would be able to tap into residents’ private video cameras. The proposal would allow property owners to voluntarily register their security cameras for a new database managed by the San Jose Police Department in order to help solve crimes. A spokesperson from the police department said it is reviewing the program’s merits and any privacy concerns. [Emergency Management]

CA – Cavoukian Seeks Limits on Sharing Medical Records With Foreign Agencies

Canadian police forces should only share sensitive mental health records with foreign agencies when a public threat can be demonstrated, says Ann Cavoukian, Ontario’s information and privacy commissioner. Her remarks highlight concerns raised in a Star story about Ellen Richardson, a disabled Toronto woman who was denied entry to the U.S. and missed out on a 10-day cruise because a 2012 “mental health episode’’ came up on a U.S. border computer. Cavoukian’s concerns and recommendation will be the centrepiece of a report she plans to present in April. Her comments came at a time when Canadian border officials are planning to share personal information obtained under a new Canada-U.S. border data-sharing program with other federal departments. The Star revealed that Ottawa and Washington will start sharing their citizens’ travel and biographic data this summer, meaning anyone from Canada travelling to or from the United States by land can have their information passed on to federal departments. [Source]


US – Personalized Ads Super Bowl-Style; SocialRadar Released

As the NFL makes last-minute preparations for the Super Bowl, The New York Times reports on plans to feature personalized ads based on physical location, both in Times Square and at MetLife Stadium. At both locations, the NFL has placed transmitters designed to send ad-based signals to smartphones. “When it rolls out, you will see all this utility for it,” said the University of Washington’s Ryan Calo, “And at some point, the economic incentives will come into play, and it won’t be pretty.” Meanwhile, a new iPhone app called SocialRadar has been released. The app aggregates data from Facebook, Foursquare, Instagram, Twitter, LinkedIn and Google+ and finds users’ social media contacts based on location and shares locations, profile data and recent posts. [New York Times] [4 Unanswered Questions About In-Store Tracking and Privacy]

WW – Researchers Create Android App to Show When Other Apps Track You

A team of researchers has developed an Android app to help people better understand when their location is being accessed, something that happens more often than people think. “All apps that access location need to request permission from the Android platform,” said Janne Lindqvist [cq], who led the research project. “The problem is that people don’t pay attention to these default disclosures.” Android phones display a flashing GPS icon when apps are trying to access the user’s location. But few people notice or understand what the icon is telling them, the researchers found. The app they developed is designed to fix that, by making it clearer to users when other apps are accessing their location data. They tried several methods, including a message that flashes on the device’s screen reading, “Your location is being accessed by [app name].” There’s no obvious way in Android for an app to monitor whether other apps are accessing location, the researchers said, but they discovered they could exploit a method in the Android Location API as “an effective side channel.” They’re in the process of readying their app for the Play Store. It doesn’t have an official name yet, but the working title is the RutgersPrivacyApp. “I’m happy to hear suggestions for a better one,” Lindqvist said. [Source]


SK – South Korean Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

AU – Australian Breach of Privacy Case Dismissed

A police officer’s privacy complaint against the Queensland Police Service (QPS) has been dismissed. The officer “launched legal action against the Queensland Police Service claiming his privacy had been breached when details of a raid on his home appeared in the media,” the report states. The Queensland Civil and Administrative Tribunal dismissed the complaint after finding the officer “had not substantiated his claims against the QPS,” the report states. [Brisbane Times]

AU – Data Privacy Complaints at Record High in Hong Kong

Complaints and enquiries to the Office of the Privacy Commissioner for Personal Data (PCPD) peaked in 2013 are “driven partly by new restrictions on companies’ use of their customers’ personal data for direct marketing.” The PCPD reported Thursday that more than 75% of the “complaints targeted private organisations, while more than half of the enquiries asked about the marketing restrictions,” the Office of the Privacy Commissioner for Personal Data said. The number of complaints received in 2013 was up 48% over 2012, the report states. [South China Morning Post

Online Privacy

US – Suit Accuses Facebook of Scanning Users’ Private Messages

Facebook is facing a second potential class-action lawsuit accusing it of scanning users’ personal messages to each other. In the complaint filed last week in the Northern District of California, David Shadpour says, “Facebook’s desire to harness the myriad data points of its users has led to overreach and intrusion on the part of the company as it mines its account holders’ private communications for monetary gain.” Shadpour says the practice violates California laws. The suit is similar to one filed last late year. [Media Post] See also: [On Facebook, clicking ‘like’ can help scammers]

WW – Whitepaper Imagines Cookie-Free World; Ad Choices Icon Unsuccessful?

A new whitepaper examines how online ads might function in a cookie-less world. The Interactive Advertising Bureau published “Privacy and Tracking in a Post-Cookie World,” which it calls a “first step” toward “eliminating one of the biggest limitations impacting mobile advertising today.” Meanwhile, a TRUSTe report indicates web users are increasingly concerned about online privacy, and new research suggests the Digital Advertising Alliance’s AdChoices icon, used in targeted display advertising as part of its public education campaign, hasn’t been as effective to date as the coalition may have hoped. [Wall Street Journal] See also: [Connected Cars are Here. The Good News Is That Privacy Is Being Taken Seriously]

US – AAA Unveils Consumer Rights for Car Data

The American Automobile Association (AAA) has drafted a consumer bill of rights and is urging industry to adopt it. AAA calls for transparency, choice and security and states car owners should have the right to understand what data is being collected about them, control with whom their data is shared and expect that companies will exercise best security practice. “Many connected car features are made possible through the collection of large amounts of potentially sensitive data from drivers,” said AAA CEO Bob Darbelnet, adding, “Companies collecting, using and sharing data from cars should do everything possible to protect consumer rights as they offer these exciting technologies.” [USA Today]

Other Jurisdictions

BR – 2014 Brings the World Cup and Perhaps New Privacy Laws to Brazil

The Hogan Lovells privacy team explores the impact two proposed privacy laws would have on organizations that provide digital products and services to Brazilian consumers. The Marco Civil da Internet would establish data protection requirements and preserve net neutrality, and the Data Protection Bill would establish an EU-style framework for the processing of personal data. These laws have been in limbo for the past few years, but will the fallout from U.S. government surveillance practices be the inspiration Brazilian lawmakers need to pass provisions, including some that would restrict cross-border data transfers? [Privacy Tracker]

Privacy (US)

US – Justice Department is Investigating Target Breach

US Attorney General Eric Holder says that the Department of Justice (DOJ) is investigating the Target data breach. The DOJ hopes to find the people responsible for the attack as well as people who use the stolen information. DOJ does not normally publicize its involvement in investigations. The Secret Service is also investigating the breach. [ComputerWorld] [GovInfoSecurity] [CNET] [SC Magazine]

US – Terrorism Defendant Challenging FISA Amendments Act

A man who was charged based on evidence gathered by the NSA’s warrantless surveillance programs has filed a lawsuit challenging the constitutionality of that program. Jamshid Muhtorov is a political refugee and permanent US resident from Uzbekistan now living in Colorado. Last year, the Supreme Court ruled against a suit challenging the same law because the plaintiffs in that case could not prove that their communications had been intercepted. [WashPost] [WIRED] [ComputerWorld] [CNET] [ArsTechnica] and [Motion to Suppress] [US: Terrorism suspect challenges warrantless surveillance]

US – Sens. Introduce Data Breach Legislation; Breach May Affect Hotels

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the FTC to release a set of security standards for businesses holding consumer data. Calls for chip-and-PIN technology are increasing as well. Sen. Robert Menendez (D-NJ) also plans to introduce the Commercial Bill of Rights, noting that, “Target was just the tip of the iceberg.” Representatives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday. Meanwhile, a recent PricewaterhouseCoopers survey canvassed those who oversee privacy within their organizations and found that though some data security awareness is growing, “privacy awareness isn’t quite where it should be.” In other breach news, KrebsonSecurity reports that White Lodging, a business with connections to Hilton, Marriot, Sheraton and Westin, has allegedly suffered a data breach exposing credit and debit card information on thousands of customers. [Diane Feinstein]

US – Google Denied Chance to Immediately Appeal Wiretap Ruling

U.S. District Court Judge Lucy Koh has denied Google’s request to immediately appeal her ruling that the company’s scanning of Gmail messages potentially violates the Electronic Communications Privacy Act. That means the ruling will stand for now. Koh’s ruling could have implications for Internet service providers’ common practices—even seemingly innocuous ones like scanning for viruses. “We desperately need clarity on the legal question,” said one law professor, adding it could be months, years or longer before that arrives. [MediaPost News]

US – Will FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Enforcement?

The FTC last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? Will the EU be placated? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC’s court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. [The Privacy Advisor] See also: [Vladeck Discusses FTC Enforcement Past and Present]

US – Plaintiffs Ask Appeals Court to Revive Facebook, Zynga Complaints

Plaintiffs are asking the Court of Appeals, San Francisco, to revive complaints filed in 2010 and dismissed a year later, seeking that Facebook and Zynga “be ordered to face claims that users’ identities and activities on the social networking platforms were disclosed to third parties without their consent.” Judge Richard Tallman said Congress could not have envisioned “the alleged violations of the Stored Communications Act in its ‘wildest dreams’ when it wrote the law,” the report states. He indicated he was “skeptical anyone was misled by the privacy policies that are being challenged” but acknowledged “there has to be substantial value to the information” or companies would not gather it, the report states. [Bloomberg Businessweek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [Full Story]

US – SCOTUS to Hear Cellphone Privacy Cases

The Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie, law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” [Politico]

US – Is a Constitutional Amendment the Answer to Restricting Data Collection?

Privacy scholar and National Constitution Center President and Chief Executive Jeffrey Rosen has opined that a constitutional amendment may be needed to “prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” But Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center, disagrees. Thierer explains why there “are several problems with Rosen’s proposal—legal, economic and practical” and writes “that better alternatives exist to deal with the privacy concerns he identifies.” [Privacy Perspectives]

US – Judge: Plaintiffs Sufficiently Allege Legal Duty in Sony Case

While U.S. District Judge Anthony Battaglia shot down parts of the class-action suit against Sony over its 2011 hacking incident, he did allow certain claims through, including one related to Sony’s legal duty to provide reasonable security. Battaglia wrote that “because plaintiffs allege that they provided their personal information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their personal information, including the utilization of industry-standard encryption, the court finds plaintiffs have sufficiently alleged a legal duty and a corresponding breach.” []

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Source]

US – MRA Names Top 10 Gov’t Officials in Privacy

In recognition of Data Privacy Day, the Marketing Research Association has published a list of the “Top 10 Government Players in Consumer Data Privacy in 2014.” The list is topped by President Barack Obama for his multi-stakeholder approach to the White House’s Consumer Privacy Bill of Rights and his efforts to “demonize” private-sector data collection. The list also includes FTC Chairwoman Edith Ramirez, Sen. Jay Rockefeller (D-WV), FTC Commissioners Julie Brill and Maureen Ohlhausen, and Sen. Al Franken (D-MN), among others. [MRA] [Stay Safe Online [B.C. proclaims Tuesday, January 28 “Data Privacy Day.”]

US – Rodriguez Is Leaving OCR: A Look at His Legacy

News that President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The Privacy Advisor reports on this shift, which would leave the OCR director post vacant for the foreseeable future—and at an historic juncture. While HIPAA passed in 1996, its rules were enforced more like suggestions than federal mandates during the early years. But when Rodriguez took his post as OCR director in 2011, armed with powers granted under HITECH, the tone shifted, healthcare insiders seem to agree. As his departure looms, who will take his place and how will HIPAA enforcement change? [Privacy Advisor]

US – Federal Guidance on Breach Notification Would Ease Way for Businesses

Although many businesses balk at the idea of government regulation, some now appear to want the government to establish federal standards for data breach notification policies. Currently, companies must navigate a jumble of rules in 46 states and the District of Columbia regarding breach notification, which is a compliance nightmare. Legislators opposed to regulation may be hard to convince that the move would benefit businesses. Others are concerned that a national standard would weaken laws in states that havemore stringent requirements in place. [NextGov]

US – Judge Who Ruled NSLs Unconstitutional Enforces New Orders

US District Judge Susan Illston, who last year ruled that the government’s use of National Security Letters (NSLs) is unconstitutional, has since enforced several of those same orders. In March 2013, Judge Illston ordered the government to stop using NSLs as they unconstitutionally impinge free speech. She also ordered the government to stop enforcing the gag order imposed by NSLs that had already been issued. Judge Illston’s logic is that because the Ninth Circuit court will be hearing the appeal of her ruling, it would be best to maintain the status quo until that court issues its ruling. [WIRED]

Privacy Enhancing Technologies (PETs)

WW – Whitepaper Highlights Emerging Privacy Engineer Discipline

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” [PbD] In a Privacy Perspectives installment, Cronk wrote, “ Is 2013 the Year of the Privacy Engineer? See also: [Opinion: Privacy Is Not Dead; Innovate for the Future] and [Innovate Privacy for the Future, But Don’t Get ‘Privacy Twisted’]

EU – Privacy Proving to be Tech Industry Driver

With “some of the world’s toughest privacy laws,” “an unusually large number of hackers and security experts” and “a deep appreciation for privacy among the German people,” Germany is seeing entrepreneurs in the wake of the Snowden revelations looking to privacy-focused business models. Germany is now home to start-ups ZenGuard, an encryption service; Blippex, a search engine “built with user privacy in mind,” and Arriver, “a social navigation tool developed on the principle of neutrality.” State-level business support is available to these start-ups through innovation funding programs, and Arriver CEO Felix Langhof says, “The privacy relevance is only just beginning to dawn on all of us.” [Forbes] See also: [Privacy Engineering: Proactively Embedding Privacy, by Design]

US – Privacy Appendix Dropped from NIST Framework

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls. According to the update from NIST , a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” [FierceGovernmentIT]


US – DMA Releases Guidelines on Breaches; Retail Association Launches Initiative

The Digital Marketing Association says it will be releasing new guidelines for best practices on data breach protection. The guidelines will include advice on data minimization, transparency on data use and cleaning and purging instructions. Meanwhile, a liability insurer at KPMG says the firms that need cyber insurance the most aren’t investing in it. Following the Target breach, the Retail Industry Leaders Association has launched an initiative to provide additional safeguards for consumer transactions, and the co-founder of a new service says it has struck the right balance between employee privacy and corporate security. [Broadcasting Cable] See also: [Top 10 Influencers in Government InfoSec]

WW – The Internet of Things: Software Flaw Allows Remote Access to Video

A security weakness in software used in webcams, IP surveillance cameras (also known as webcams), and baby monitors from Foscam could be exploited to remotely view live and recorded video. All the attackers would need to know is the targeted device’s Internet address; in many cases, attackers could bypass the authentication prompt by clicking “OK”. Foscam planned to issue a firmware security update by January 25. [KrebsOnSecurity] [PCWorld] []

RU – Olympics Security Trumps Privacy at Sochi

“Unprecedented” security measures are being taken around the upcoming Olympic Games in Sochi, Russia. With terrorist groups threatening the safety of the participants and fans, Russian President Vladimir Putin has bolstered a “ring of steel” around the venues with “an unmatched level of monitoring in cyberspace,” the report states. With help from the U.S., Canada and other nations, people attending the games have been warned to expect to be under surveillance at all times—including via telecommunications, the Internet and physical movement. [QMI Agency] See also: [Cybersecurity AWOL in State of the Union]

WW – Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56% of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11% of all users say they use the Tor network. [Ars Technica] and [SpyEye Developer Pleads Guilty]


US – PCLOB: NSA Phone Program Is Illegal

The Privacy and Civil Liberties Oversight Board (PCLOB) released its report on the NSA program that collects en masse phone metadata, noting it provides minimal benefits to thwarting terrorism, is illegal and should come to a halt, Reuters reports. The PCLOB report goes further in criticizing the programs than did President Barack Obama and his ad hoc review panel. “The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215,” the PCLOB report states, adding it “raises serious threats to privacy and civil liberties as a policy matter and has shown only limited value.” Two of the board’s members—Rachel Brand and Elisebeth Collins Cook—voted against the recommendation to end the bulk collection. The PCLOB is also working on a separate report on the NSA’s Internet surveillance. The Guardian has compiled quotes from groups and lawmakers calling for the end of bulk phone records collection. [Reuters]

US – Constitutionality of NSA Surveillance Challenged in Court

A suspect facing terrorism charges has become the first criminal defendant to challenge the constitutionality of the NSA’s bulk surveillance program. A motion was filed in a federal court to suppress any evidence against the defendant gathered from the warrantless government surveillance under the FISA Amendments Act. The defendant “believes that the government’s surveillance of him was unlawful for the simple fact that it was carried out … under a statute that fails to comply with the Fourth Amendment’s most basic requirements,” according to the motion. In a separate case, for the first time in FISA’s 36-year history, a federal judge has allowed a defense lawyer to review classified evidence gathered under the law. [The Washington Post]

US – How Obama’s NSA Plans May Affect EU Law

President Barack Obama’s plans for surveillance reform, as revealed in his recent speech, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.” [Full Story]

WW – Google Downplays Eavesdropping in Chrome Speech Recognition Feature

Google is downplaying reports that the speech recognition feature in its Chrome browser could be used to eavesdrop on users. A web developer created an exploit that could be used to let a website continue to listen on users’ microphones even after the users believe they have left the site in question. Websites could be less than forthcoming about their actions, and could conceivably open a second window underneath the original site thus allowing the microphone access to remain on even after users believe they’ve left the site. Google says the issue is not a threat because the way the feature is designed, users must enable speech recognition for each site that requests it. When the speech recognition feature is being used, Chrome places a blinking red light in the browser tab and a camera icon in the address bar. [ComputerWorld] [TheRegister] [ArsTechnica] [NBCNews] []

WW – Bulk of China’s Internet Traffic Redirected to US-Based Addresses

Earlier this week, many Chinese websites were redirecting users to a blank page run by a company in the US. Chinese Internet users found they were unable to access websites hosted either in China or overseas that were part of top level domains like .com, .net, and .org. Sites with the .cn domain were unaffected by the incident. The situation did not last long – several hours – but its effect was felt for quite some time after the problem was resolved because users were still accessing cached versions of pages. While Chinese authorities said the incident was the result of an attack, a more likely scenario is a glitch in the way the country’s censorship system was being managed. The company that operates the page to which surfers were redirected runs services designed to circumvent China’s stringent Internet censorship program. [ZDNet] [ArsTechnica] [NextGov] [ComputerWorld] [NY Times]

US – Gov’t to Fund Devices to Track Children With Autism

Sen. Charles Schumer (D-NY) said the federal government will fund voluntary-use GPS tracking devices for children with autism or other disorders that put them at risk when away from their caregivers. The federal government, led by the Justice Department, has already funded a similar program for individuals with Alzheimer’s disease. The new program stems from a recent case where a 14-year-old with autism died after disappearing from his school. The case is still under investigation. Schumer said the program would be voluntary and work in conjunction with local law enforcement. The devices cost approximately $85, plus monthly fees. [Associated Press] See also: [Surveillance of B.C. seniors raising privacy concerns]

Telecom / TV

US – Viacom Hit with Privacy Lawsuit; Group Files Complaint with FTC

Google and Viacom are asking a federal judge to dismiss a potential class-action lawsuit that argues the companies are violating privacy laws at, and NeoPets. The lawsuit alleges the companies place cookies on websites visited by children under the age of 13. The plaintiffs allege the companies have violated federal wiretap law, the Video Privacy Protection Act and several New Jersey and California state laws. In a separate case, Consumer Watchdog has filed a complaint with the FTC alleging a planned contact list merger between Google+ and Gmail violates a privacy settlement reached between the federal regulator and Google. [MediaPost News]

US Government Programs

US – PCLOB: Data Surveillance Violates Law; NSA is Wrong Agency for the Job

A new report from the Privacy and Civil Liberties Oversight Board (PCLOB) says “the bulk collection of billions of American phone records violates the letter and the spirit of the law.” Excerpts from the report, which is scheduled to be read at an open board meeting , say the mass collection has “no connection to a specific FBI investigation when it’s being gathered” and the amount of it being “vacuumed up” can’t be considered “relevant.” It also says that under the law, the FBI—not the NSA—should be doing the collecting. Two PCLOB members, however, wrote dissents on that opinion. “The board will vote Thursday on whether to call for an outright end to the phone metadata program and call for more transparency from the government and the secret court,” the report states. [NPR]

US – NSA Announces First-Ever Chief Privacy Officer

The Washington Post reports on the National Security Agency’s announcement that it has named IAPP member Rebecca Richards, CIPP/US, CIPP/G, its first-ever privacy officer. Former Department of Homeland Security (DHS) official Paul Rosenzweig told the Post that Richards, leaving DHS for the new job, has her work cut out for her and civil libertarians are skeptical. However, former DHS CPO Mary Ellen Callahan, said, “She is one of the best privacy officials I have worked with in over a decade and a half of privacy counseling. She works meticulously with the program managers and creators of new programs, and demonstrates an ardent level of diligence and devotion to privacy.” Meanwhile, a report for Federal News Radio says agencies are now treating privacy the way they treated cybersecurity five years ago, as a “classic risk-management issue.” But privacy is “hard to define because it means different things to everyone,” making the role of CPO somewhat less defined than a CSO. [Washington Post]

WW – How App Developers Leave the Door Open to NSA Surveillance

News that the National Security Agency has for years harvested personal data “leaked” from mobile apps such as Angry Birds triggered a fresh wave of chatter about the extent of the NSA’s reach. However the NSA and its U.K. equivalent, GCHQ, hardly had to break much technical ground to hoover up that data. Few mobile apps implement encryption technology to protect the data they send over the Internet, so the agencies could trivially collect and decode that data using their existing access to Internet networks. Documents seen and published by the New York Times and Guardian newspapers show that the NSA and GCHQ can harvest information such as a person’s age, location, and sexual orientation from the data sent over the Internet by apps. Such personal details are contained in the data that apps send back to the companies that maintain and support them. This includes data sent to companies that serve and target ads in mobile apps. “This is evidence of negligent levels of insecurity by app companies, says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43% use no encryption at all. Last week mobile app security company MetaIntell reported that 92% of the 500 most popular Android applications communicated some data insecurely. The documents published single out Google Maps as leaking particularly useful data for surveillance purposes. Documents from both the NSA and GCHQ note how search queries intercepted from this app can reveal a person’s movements. A 2008 document from GCHQ states that a system set up to intercept that data “effectively means that anyone using Google Maps on a smartphone is working in support of a G.C.H.Q. system.” [MIT Technology Review] and [Time for a ‘wake-up call’ on smartphone spying: Cavoukian]

US Legislation

US – Criminal Liability in Breach Legislation Could Be a Recipe for Disaster

With recent high-level data breaches, and the introduction by Sen. Patrick Leahy (D-VT) of the Personal Data Privacy and Security Act of 2014, some are hopeful a federal breach notification statute is on the horizon. There is one issue, however, raised by Leahy’s bill that “deserves considerable debate,” writes Andrew Proia, of Indiana University’s Center for Applied Cybersecurity Research and Maurer School of Law. “In addition to creating the federal breach notification law, Section 102 of Leahy’s bill would open the door to criminal liability for anyone who ‘intentionally and willfully’ conceals the fact of a security breach,” he writes, adding, “it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.” [Privacy Perspectives]

US – Sens. Introduce Anti-Fraud Legislation

Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) have reintroduced legislation that would require certain entities to “better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud,” now called the Data Security Act of 2014. The requirements would supersede current state breach laws and apply to “businesses that take credit or debit card information; data brokers that compile private information, and government agencies holding nonpublic personal information.” [Government Security News]

US – CA Senate Approves Bill Defining Collection and Use; AG Files Suit Over Kaiser Breach

California’s Senate approved a measure Thursday aimed at protecting consumers’ information from being misused, Los Angeles Times reports. The bill, introduced by Sen. Hannah-Beth Jackson (D-Santa Barbara), would limit online merchants’ collection of data to only that which is necessary and would prohibit the merchants from selling the data or using it for marketing purposes. Meanwhile, a recent breach at Snapchat narrowly avoided repercussions under California’s updated data breach law, which took effect January 1, and the state’s attorney general recently filed a suit against Kaiser Foundation Health Plan for a 2011 breach. [Los Angeles Times]

US – Montana Allows Review of Post-Suicide Medical Records

In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana’s Suicide Prevention Coordinator Karl Rosston says “None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We’re not going to take one isolated incident and say ‘this is what happens’.” [KRTV]

US – South Dakota House Considering Student Privacy Bill

South Dakota’s House Education Committee will revisit SB 63 this week to protect the privacy of students who take educational assessments. South Dakota Secretary of Education Melody Schopp wrote a letter to U.S. Education Secretary Arne Duncan explaining the state cannot and does not link identifiable information to test scores. “We are prohibited to share any personally identifiable information with the federal government,” Schopp said, adding that the education department is in favor of the privacy policy. [South Dakota Public Broadcasting]

US – CA Senate Passes Bill to Protect, Limit Online Data Collection, Retention

The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons. [The Associated Press]

US – Nebraska Citizens Voice Privacy Concerns Over Wages Bill

The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. Listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service. [The McCook Daily Gazette]

US – Judge: CA’s Two-Party Consent Doesn’t Apply to Out-of-Staters

U.S. District Court Judge Josephine Staton has dismissed Annette Jonczyk v. First National Capital Corporation et al, stating that because Jonczyk is not a California resident, the state’s two-party consent statute, requiring both parties to consent to recording a phone call, does not apply to her. At the crux of the case is that First National is a California company and recorded a call, without consent, to Jonczyk, a Missouri resident, and Missouri is a one-party consent state. Staton noted that the California legislature’s intent is to “protect the right of privacy of the people of this state.” “Applying California law to this case would not further that goal. On the other hand, Missouri specifically limited their privacy protection statute to allow a single party to consent to a recording.” [Scott Koller of Information Law Group]

US – Maine Committee Quashes Social Media Bill, Opts for Study

The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states “several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.” [Portland Press Herald]

US – West Virginia House Passes Social Media Bill

The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate. [The Journal]

US – Indiana House to See Bill Restricting Police Surveillance Techniques

The House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future. [Associated Press]

US – Missouri Considers Constitutional Protection for Electronics

Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November. [The Associated Press]

US – California Assembly Passes Drone Bill, Including Data Retention, Use Provisions

The California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate. [The Washington Post]

US – Georgia General Assembly Considers Two Drone Bills

Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance.” And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill. [The Associated Press]

US – Iowa Considering Drone Privacy Bill

Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion. [The Associated Press]

US – Minnesota Bill Would Regulate Police Drone Use

Legislation has been proposed in Minnesota to regulate police use of drones. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger. [The Associated Press]

US – New Hampshire Bill Would Restrict Police, Public Use of Drones

New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill. [The Union Leader]

US – Utah Sen. Introduces Drone Privacy Bill

Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent. The bill also puts limits on the retention of data obtained by drones. [Deseret News]

US – NJ Governor “Pocket Vetoes” Drone Privacy Bill

Among the 44 bills Gov. Chris Christie (R-NJ) allowed to expire was a drone privacy bill that would’ve required police to get a warrant before using drones for surveillance. The bill passed the New Jersey Assembly with a vote of 74-1. []

US – Wisconsin Assembly Passes Social Media Bill; Senate Passes Mental Health Bill

Senate Bill 223, making it illegal for employers, universities and landlords to require social media login information from workers, students, tenants or applicants, has passed the Wisconsin Assembly, reports WEAU. If the bill passes into law, violators could see fines of up to $1,000. One employment law expert says that if misconduct on social media is suspected, employers can ask for access to the site but not for login credentials. The bill now heads to the Senate for approval. The Wisconsin Senate, meanwhile, has passed the Mental Health Care Coordination Bill, updating Wisconsin law to be more consistent with HIPAA. Currently, state law requires a level of confidentiality for behavioral health treatment beyond that required in HIPAA. The current requirements have been criticized for hampering appropriate treatment by restricting the sharing of patient data with other treatment providers. [The National Law Review]

Workplace Privacy

US – Study Says US Government Workers Do Not Practice Good Mobile Device Security

According to a study from the Mobile Work Exchange, many US federal government employees are not taking appropriate measures to secure their mobile devices, despite established security policies. The report, commissioned by Cisco Systems, focused on tablets, smartphones, and laptops. While physical security seems to be more entrenched – 86% of the workers lock their computers while away from their desks – more than 40% of the 155 government workers surveyed use their mobile devices in ways that put their agencies and the devices at risk for a breach. Issues include using public wireless networks, failure to employ multi-factor authentication or encryption, and 25% do not use passwords for their devices. Also, downloading personal apps and opening messages from senders they do not know. [DarkReading] [MobileWorkExchange] See also: [How To Change Employees’ Poor Password Habits] and [Blancco Backs 2014 Data Privacy Day on January 28 – Jan 28 2014 – Champion of data privacy’ takes leadership role in data erasure for mobile devices, an important focus for today’s security-challenging BYOD trend]





01-15 January 2014


UK – More Than One Million Students Fingerprinted

Big Brother Watch, a UK-based privacy advocacy group, estimates that 1.28 million students have been fingerprinted at their secondary schools, nearly one-third without parental consent. Based on a Freedom of Information request, data shows that four out of 10 schools employ biometric technology to identify students. Big Brother Watch has said the development is concerning because students will grow up thinking “it is normal to be tracked like this all the time.” Big Brother Watch Director Nick Pickles said, “Going to school should not mean kids are taught that they have no privacy, especially at a time when we are sharing more data about ourselves than ever before.” [The Independent] See also: [New facial recognition app ‘creepy’, says kids entertainer Raffi]

US – At CES, Company Announces New Open Standards

Hoyos Labs announced at the Consumer Electronics Show the formalization of its Biometric Open Standards Protocols. The document sets up rules for secure communications between devices and the server “managing the acquisition and manipulation of biometric data captured by those devices,” according to a press release. CEO Hector Hoyos said the company “created a rule-based system by building upon the U.S. Department of Defense’s core infrastructures” that “is available to any company that wants to implement it” upon request. The document addresses identity assertion, role gathering, access controls, auditing and assurance. [DarkReading] [Consumer Electronics Show will highlight new ways to collect biometric data]


CA – OPC: Google Health Ads Violated Privacy Law

After an investigation, the Office of the Privacy Commissioner (OPC) said that Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements . After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioral advertising.” Bernier, whose office received support from the U.S. Federal Trade Commission, also said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.” Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads. [OPC News Release] SEE ALSO: [Canada:  Conservatives deny request to view full guest list for speech from the throne] and [Spy agency admits it spies on Canadians ‘incidentally’]

CA – Sudden Resignation from Sask. Privacy Commissioner

Saskatchewan’s information and privacy commissioner Gary Dickson has resigned, citing personal reasons. Dickson said in a news release he would step down at the end of the month. First appointed to the position in 2003, Dickson was reappointed to another five-year term in April, 2009. During his time in the post, Dickson has been a strong advocate for more rigorous protection of personal medical data, and critical of lapses in the public sector. He has also said the government needs to extend its privacy legislation to cover that sector. Dickson said his resignation was “solely for personal reasons.” He did not provide any details. [Source]


US – Facebook Users File Suit Over Data-Mining

Two Facebook users are suing the social network for allegedly intercepting the “content of the users’ communications” to “mine user data and profit from those data by sharing them with third parties—namely, advertisers, marketers and other data aggregators.” In their December 30 class-action, the plaintiffs allege “Facebook’s use of the word ‘private’ in relation to its messaging system is misleading, given the way the company treats the info contained within those messages,” the report states. Facebook has denied the allegations , calling them “without merit.” The class-action is seeking $100 for each day of violation or $10,000 per class member and “statutory damages of either $5,000 per class member or three times the amount of actual damages, whichever is greater,” the report states. [Ars Technica] See also: [IRE:  The privacy of a billion people on the Internet is controlled by one Irishman]

US – Consumers Trusting Fewer and Fewer With Their Data

“People are becoming more aware of the data being collected about them online. And that’s eroding the trust they have with collecting companies.” The statement is based on research by McCann Truth Central shared at the Consumer Electronics Show (CES). The McCann Truth Central survey examines which companies consumers see as “the greatest threat to the future of privacy” while also highlighting which they trust with their data. The Ad Age report also highlights comments by FTC Commissioner Julie Brill at CES that “we need legislation around privacy … We actually need specific data-broker legislation.” Meanwhile, amidst privacy concerns, anonymous search engine DuckDuckGo has announced 2013 saw more than one billion searches made—its biggest year to date. [Ad Age]

US – Ford CEO Calls for Driver Privacy Provisions

Ford Motor Company CEO Alan Mulally says drivers’ privacy must be protected by law as vehicles increasingly use data for location tracking. The company is “supportive and participating” in talks with regulators considering such legislation, the report states. “It’s just really important that we have boundaries and guidelines to operate,” Mulally said. Sen. Al Franken (D-MN) recently questioned Mulally on what kind of data the company collects via vehicles’ GPS systems and how driver consent is obtained. Franken’s questioning comes after a company executive said last week the company can infer a person’s driving habits via the navigation systems in Ford vehicles, as referenced in this recent Privacy Perspectives post. [Bloomberg] [Franken presses Ford on location data collection practices]


NZ – Agencies Too Slow In Destroying Shared Data

Kiwis’ private information is being mishandled by government agencies, which break their own rules when sharing people’s details. Reports from the Office of the Privacy Commissioner reveal agreements between Government agencies to share personal information have been “non-compliant” and have had “substantial issues”. Several agencies have been caught holding on to the information of hundreds of thousands of people after they had previously agreed to destroy it. In another report, the Ministry of Social Development was caught tracking people using their tax numbers, which is illegal under the Privacy Act. Privacy Commissioner Marie Shroff said the breaches were disturbing. “This is a highly complex environment with huge amounts of citizens’ data, and you do need a watchdog carefully checking what is going on to keep them honest.” [Source] [CA – Government departments consider banning portable data devices in wake of security breaches in 2013] and [New Ideas for Mitigating Insider Threat: Presidential Panel Suggests Series of Steps, Government Information Security]



CA – CASL: What You Need to Know and When

Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL). Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. [IAPP Privacy Tracker]


Electronic Records

US – Experts Say Still Has Numerous Security Issues

Experts testifying before congress said that the government’s healthcare exchange website still contains many security problems. One of the security issues identified last year has been partially addressed, but the other 17 remain, and 20 new issues have been detected. According to a statement from the Centers for Medicare and Medicaid Services (CMS), “There have been no successful security attacks on and … [no one] has maliciously accessed personally identifiable information from the site.” [CNET] [Ars Technica] [NBC News] [TrustedSec] See also: [Centers for Medicare and Medicaid Services Official Says Site is Now Secure] and [ghg and OptimizeRx join forces on electronic health records]

UK – Patients Asked To Opt Out Or Be Included In Database

NHS England has begun sending leaflets out to every household in England to inform residents that information from their patient records will be used in a national database unless they actively opt out. The ambitious programme aims to join up anonymised patient data from a number of care settings into one data collection kept by the Health and Social Care Information Centre. This will be available to clinicians and researchers. The leaflet, entitled “Better information means better care”, is part of a £2m publicity campaign launched in the wake of concern being raised by GPs and privacy campaigners that patients were not being well enough informed about the new database. [Source]



US – Yahoo Implements Default Encryption

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the NSA to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference [CNET]. [Yahoo users exposed to malware attack]

WW – Quantum Computer Could Crack Most Encryption

The U.S. NSA is allegedly building “a cryptologically useful computer” that could break virtually all encryption on the Internet, including banking, medical, business and government records. Documents provided by former contractor Edward Snowden reveal the plans are part of a $79.7 million research program going by the name “Penetrating Hard Targets.” Unlike classical computers, which run on binary bits—ones or zeroes—quantum computers seek to use bits that are simultaneously ones and zeroes, making it exponentially quicker and more efficient. Some experts, however, are skeptical that such a full-scale system would be ready in the near term. [The Washington Post]


EU Developments

EU – No Successor Yet for EDPS Hustinx

In his last speech of his mandate as European Data Protection Supervisor (EDPS), Peter Hustinx urged Germany to take the lead in reform of the EU data protection framework. And now, after 10 years of service, Hustinx is retiring from “what is in essence the EU’s top data protection authority.” But the future leadership of the office is in question. Earlier this month, news came out that a “selection board” found that none of the successor candidates were “sufficiently qualified” for the position, thereby delaying the selection, possibly by months. “After working in Brussels for the last 15 years,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner, “I have become accustomed to the byzantine machinations of European politics.” [IAPP]

EU – Is the EU’s “Anti-FISA” Clause Practical?

The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg, who notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?” [Full Story] See also: [US: Spy court judge slams proposed privacy advocate]

EU – LIBE Publishes NIS Directive Draft Amendments

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) has published “a list of draft amendments MEPs in the group would like to see made to the European Commission’s proposed Network and Information Security (NIS) Directive.” The proposed NIS Directive, first published last year, “aims to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems,” the report states. MEP Marie-Christine Vergiat has suggested the standard of protection should differ by organisation, while other proposals include recommending the NIS Directive’s implementation be postponed until after the introduction of EU data protection reforms. [Full Story]

EU – Shutting Down EU Is Not the Way to Defend Privacy

In reaction to the release of the European Parliament’s LIBE Committee draft report on U.S. National Security Agency (NSA) mass surveillance, Field Fisher Waterhouse Partner Eduardo Ustaran writes, “Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.” Ustaran looks at several specific provisions of the draft report, noting that though it’s extreme, there is no need to panic. Meanwhile, TechCrunch reports that the LIBE Committee has invited former NSA contractor Edward Snowden to testify on U.S. surveillance. []

EU – Court of Human Rights Supports Finnish Court Decision

A European Court of Human Rights ruling supports an earlier Finnish court decision to fine author Susan Ruusunen for writing “a tell-all book” in 2007 about then-Prime Minister Matti Vanhanen. “The judgment is the latest example of the Strasbourg-based court having to toe the line between upholding the European Convention on Human Rights articles of freedom of expression and the privacy rights of people, even those in the spotlight,” the report states. Finland’s Supreme Court found against Ruusunen and her publisher back in 2010. [The Wall Street Journal]


Facts & Stats

WW – Snapchat Assures Users Spam Is Unrelated to Breach

Following reports from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post. [Los Angeles Times]



US – E-Receipts Come With Privacy Concerns

Stores are increasingly offering to send customers email receipts, which are convenient and save paper. But if you choose an e-receipt, experts warn that convenience comes with a price: your privacy. “Once you’ve given up your email address, that retailer can use it for any purpose,” said consumer advocate Richard Holober. Holober said that includes sending you more emails, using it for targeted marketing and even selling your information to a third party. “The question that the consumer should be asking the retailer is, ‘What are you doing with my information?’” she said. “Sometimes, if it’s online with the terms and conditions, you’ll clearly see that whoever you’re signing up with is clearly saying that they are going to be giving that information to third parties. [New York News]

US – Regulators Have Concerns About Lenders’ Use of Facebook, Other Sites

More lending companies are mining Facebook, Twitter and other social-media data to help determine a borrower’s creditworthiness or identity, a trend that is raising concerns among consumer groups and regulators. Lending companies—some of which are backed with venture funding from Google Ventures, the venture-capital arm of Google Inc., and Accel Partners, an early Facebook Inc. investor—are looking at potential problems such as whether applicants put the same job information on their loan application as they posted on LinkedIn, or if they shared on Facebook that they had been let go by an employer. A small business that draws negative reviews on eBay also could undermine its chances of getting more credit, lending companies say. Consumer advocates say the trend increases the chance borrowers, including small businesses, will be unfairly denied credit or saddled with higher interest rates based purely on their social-media presence. They say federal laws haven’t kept up with the trend, leaving borrowers exposed. “The data we have on customers via social networks says more about them than their FICO,” Mr. Sion said, referring to the three-digit credit score widely used to estimate risk. “You can make credit decisions based not on a faceless score, but on who you know.” Companies are tapping into other sources of data, including PayPal and eBay accounts, to determine not just whether a borrower should get a loan but whether their credit line should be increased. [The Wall Street Journal]

CA – Bitcoin ATM Arrives in Toronto

Toronto has its first Bitcoin machine, located at King Street West and Spadina Avenue. Bitcoin, which allows people to convert their money to digital coins or bitcoins, is the first decentralized digital currency.

The only other Canadian Bitcoin ATM is located in Vancouver and it has seen massive success since it was unveiled in late-October of 2013.While some view it as a passing fad and have questioned its validity, others see it as the replacement for the current monetary system. The volatility of the emerging digital currency has been a focus of attention for market regulators, with its stock price rising from 30 cents in 2012 to a peak of about $1,200 in 2013. Today it is closer to $900. In 2013, a U.S. judge ruled that Bitcoin is a real currency. [Source] See also: [Canada Revenue Agency reviewing issue of taxpayers wrongfully declared dead]



IN — E-records to Have Longer Archival Life

Computerized records of birth and death certificates, land, passport, Aadhaar and ration cards among others should now have a longer archival life. The city-based Centre for Development of Advanced Computing (C-DAC) has developed a national digital repository that will preserve all important government documents in the electronic format. Termed the ‘trusted digital repository’, the system is capable of saving electronic data generated by all state governments for a longer period of time. [Source]



WW – Google Acquires Nest for $3.2 Billion

Google announced it will acquire Nest Labs—maker of smart home thermostats and smoke alarms—for $3.2 billion. Nest CEO Tony Fadell said, “We’re thrilled to join Google. With their support, Nest will be even better placed to build simple, thoughtful devices that make life easier at home and that have a positive impact on the world.” According to The New York Times, Nest’s products use software, hardware, sensors and algorithms to learn the behavior of home dwellers in order to program a home’s system and allow users to remotely access and control it. Fadell said Google has agreed that Nest’s privacy policy will remain unchanged. “That was a major concern or question we had,” he said, “and they have done an amazing job convincing us that our privacy policies are going to be well-respected in their organization.” [Google Investor Relations blog]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Privacy lawsuit against Google revised. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. The revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Bloomberg]

US – Court of Appeals Denies Google’s Wiretap Act Argument

The U.S. Court of Appeals for the Ninth Circuit has ruled against an appeal by Google, holding that payload data transmitted over a WiFi network is not considered “radio communications” as defined under the federal Wiretap Act. In the case, Google defended its collection of data transmitted over open WiFi networks during its Street View mapping project, saying the data it collected was unencrypted and available to the general public. [Business Standard]

WW – Privacy Advocates Concerned About New Google Feature

In its Official Gmail Blog, Google updates users on a new feature that allows those using Gmail and Google+ where “Gmail will suggest your Google+ connections as recipients when you are composing a new e-mail.” The blog notes “your e-mail address is only shared with the people you want … You control whether people can reach you this way with a new setting in Gmail.” However, Los Angeles Times reports , privacy advocates believe the feature should have been opt-in. The Electronic Privacy Information Center’s Marc Rotenberg alleges the new feature is “eerily similar” to Google Buzz, which resulted in a settlement with the FTC. [Source]

WW – Google’s Public Policy Vet Moves to LinkedIn

LinkedIn has hired Google veteran Pablo Chavez as its vice president of public policy, Silicon Valley Business Journal reports. Chavez has worked at Google since 2006 and was responsible for engineering the company’s political strategy, the report states. Chavez’s LinkedIn profile notes his political advocacy efforts for Google on issues including privacy, security and online free expression. [Syrian Electronic Army hacks into Xbox Twitter accounts too]

EU – CNIL Issues Its Largest-Ever Fine to Google

French privacy regulator the CNIL has fined Google $204,000 for breaking the law with its unified privacy policy—its biggest fine to date. The CNIL said the company implemented its shift to one privacy policy across all its services without properly informing users of the ways in which their data would be combined and for what purposes. That’s similar to The Netherlands’ data protection authority assertion in November, while Spain’s data protection authority fined the company $1.2 million last month. The fines are the latest in European displays of dissatisfaction with online tracking, which may impact EU-U.S. business relations, The Wall Street Journal reports. [GigaOm] [Google appeals French fine as data privacy row continues]

WW – Google Announces Alliance to Support Android-Connected Cars

Google has created an alliance of car manufacturers that are working to make their products Android-connected. The initiative is known as the Open Automotive Alliance (OAA). It is “committed to bringing the Android platform to cars starting in 2014 … in a safe and seamless way.” Google is developing an Android platform “that will enable the car itself to become a connected Android device.” Questions about the alliance’s plans for addressing security issues were not answered directly. Charlie Miller, a Twitter security engineer who has given presentations about cars’ vulnerability to hacking said he believes “these automotive efforts need to have security experts brought in from the beginning.” [SC Magazine] See also: [US:  Feds May Require Cars to Talk to Each Other to Avoid Crashes]


Health / Medical

US – House Passes Security Bill

The US House of Representatives has passed a bill that would impose strict new security requirements on the website. The legislation would require the Department of Health and Human Services (HHS) to notify people within two days if their personal information is compromised. HHS officials say that the website meets the government’s information security standards and that no personal information has been compromised. The bill is unlikely to pass in the Senate. [NextGov] [Political Ticker]

US – FDA Seeks Electronic Records for Drug Safety Data

As part of the FDA’s ongoing efforts to evaluate the safety of drugs and biological products, the agency quietly began a search for access to electronic health records (EHRs) in December. The agency plans to use the information gleaned from EHR data to augment its MedWatch reporting system and other actions taken by the FDA’s Office of Surveillance and Epidemiology. In a notice posted to Federal Business Opportunities, a website used by government agencies looking to contract outside vendors, the FDA wrote that it is seeking direct and continued access to EHR data. The FDA emphasized that the identities of all patients would be obscured. The data provided by the contractor will allow reviewers to “evaluate drug-related safety issues of high regulatory priority in a timely manner” and assess several risk factors. In the notice, the FDA said it sees benefit from access to longitudinal information regarding the patient population. The agency is looking for real-time access to a database that includes demographic and diagnostic information; laboratory test orders and results; drug and biological agent use; the National Death Index; and health history, including visits to hospitals and specialists. On Jan. 8, the response date for the EHR notice had passed, and three contractors had posted to the website expressing their interest. In a separate notice, the FDA also sought database access to demographic information regarding over-the-counter drug purchases. [Source]

US – Survey: Privacy Officers Need More Staff, Anticipate Greater Enforcement

A recent survey indicates healthcare privacy, information security and compliance officers most desire increased budget, compliance software, more staff, training and audit help. In the ID Experts survey, respondents said an increased budget would help with investing in audit software and increasing training and proper staffing in an effort to meet regulations, among other needs. Asked to make predictions for 2014, respondents expected increased enforcement on privacy and security by the government and intensified auditing. [HealthITSecurity]

WW – Social Media Posts Risk Patient, Public Mistrust

Increasingly common violations of patients’ privacy when medical practitioners take photos of patients on their personal devices and share them on social media. Approximately 30% of state medical boards have reported receiving complaints of “online violations of patient confidentiality,” according to a recent survey published in the Journal of the American Medical Association. The violations have the potential to “undermine a proper physician-patient relationship and the public trust,” says the Federation of State Medical Boards. [Full Story] [NZ -Privacy Questions Raised Over Medical Record Database]

US – IMS Health Goes Public; When Docs Google Patients

IMS Health plans to go public. According to the report, the company has assembled “85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.” IMS Health then sells the data and reports to the top 100 global pharmaceutical and biotechnology companies, advertisers, consulting firms and other government and financial organizations. In a recent filing with the Securities and Exchange Commission, IMS Health said it processes data from 45 billion health records per year. Meanwhile, an All Voices article looks into the fine line between marketing and health privacy, and according to The California Report, health kiosks pose several privacy risks. In a column for The New York Times, one doctor opines on the pros and cons of “Googling” his patients. “I am tempted to prescribe that physicians should never look online for information about their patients…”

US – OCR to Get New Director

Personnel changes at the Office for Civil Rights (OCR) would have a “major impact on healthcare IT security in 2014.” President Barack Obama reportedly intends to nominate OCR Director Leon Rodriguez to fulfill a role in immigration services, leaving questions as to who would replace Rodriguez, especially during such a critical time as the OCR prepares for its 2014 HIPAA audits. In other healthcare-related headlines, a breach lasting four years was discovered at a Virginia health system during a random company audit in November, and patients affected by the data breach at Kaiser Foundation Hospital Orange County have filed a class-action lawsuit in California. patients, though I think the practice will become only more common,” he writes. [Forbes] [HealthITSecurity]


Horror Stories

US – Target Says Malware Found of Point-of-Sale Terminals

Target is now acknowledging that there was malware on its point-of-sale terminals. In addition, the breach, already one of the largest known breaches of payment card data to date, affected as many as 110 million Target customers, nearly three times the initial estimate. Target CEO Gregg Steinhafel says the company is planning “significant changes” in response to the breach, but did not elaborate. [SC Magazine] [CNET] [Krebs Security] [ComputerWorld] [Yahoo] [Target Data Breach Larger than Estimated, 70 Million More Affected]

US – Neiman Marcus Investigating Payment Card Data Breach

Neiman Marcus says that it was also targeted in a data breach over the past few months. The retailer says its database was infiltrated in December. As in the Target breach, the attack affects people who shopped in physical stores but not online shoppers. Neiman Marcus is working with the Secret Service to investigate the breach. [CNET] [Krebs on Security] [US – More retailers reportedly victims of holiday data breaches: At least three more US retailers suffered unpublicized attacks similar to the one on Target, Reuters reports]

US – Lawmakers Want Update from Target; Investigating Neiman Marcus Incident

Lawmakers are seeking answers from Target’s chief executive on the company’s response to its recent breach. Sens. John Rockefeller (D-WV) and Claire McCaskill (D-MO) have asked that the company’s information security officials brief committee staff on its latest internal findings. A Target spokeswoman said, “We have received the chairmen’s letter and are continuing to work with them and other elected officials to keep them informed and updated as our investigation continues.” The heads of the Senate Banking and Judiciary committees are also responding to the breach. Meanwhile, three states have begun investigating a breach at Neiman Marcus. [Source]

US – Data Protection & Breach Notification Legislation Reintroduced in Senate

US Senator Patrick Leahy (D-Vermont) has reintroduced legislation aimed at protecting people’s privacy. This time, the bill includes provisions calling for the establishment of a federal standard for data breach disclosure, and data protection standards for businesses retaining sensitive information. The bill would also impose criminal penalties for people convicted of attempted computer hacking and conspiracy to commit computer hacking. [LOHUD] [RT.COM]


Identity Issues

WW – FIDO’s 2014 Authentication Agenda

To help reduce reliance on passwords, the FIDO Alliance of 70 member companies is developing standard technical specifications for advanced authentication. Michael Barrett and Daniel Almenara of FIDO describe the impact the effort could have in 2014. “The thing to remember is that the whole FIDO methodology is rethinking how authentication is handled from the ground up,” says Barrett, president of the alliance. FIDO plans to publish in the first quarter of this year its first official draft of authentication specifications. The alliance hopes to eventually help launch a certification program to verify that hardware and software is “FIDO enabled” and uses the group’s specifications.The FIDO authentication model will support any device, including a wide variety of mobile hardware – as well as a wide variety of authentication methods. That’s because it’s common for end-users to use multiple devices to access systems. [Source] SEE ALSO: [Canada: Researchers develop ‘narrative authentication’ system]

MY – Malaysia to Introduce High-Tech ID Cards for Foreign Workers

In a bid to check the influx of illegal foreign workers, Malaysia will soon issue new biometric identity cards to nearly 2.3 million foreigners in the country. Malaysia relies heavily on foreign workers to support its tourism and infrastructure industry. There are 2.25 million documented foreign workers in the country right now. Labourers from countries like India, Indonesia, Bangladesh and Cambodia also works in its rubber and palm plantations. Officials said the new ID cards, embedded with high-tech chips, would ensure only legal foreign workers were in the country. The cards were originally planned to be introduced late last year. [] [Editorial:  We need a new jurisprudence of anonymity] See also: [IN — India: The Aadhaar trap: Why you should be really, really worried]


Internet / WWW

US – U.S. Commerce Secretary: New Rules Needed for Potential $19T Market?

At the Consumer Electronics Show in Las Vegas, privacy was a hot topic. Particularly, the Internet of Things is getting close attention, as wearables and micro computers are among the most common new products. Cisco Systems CEO John Chambers made headlines with his keynote, predicting the Internet of Things market could be as large as $19 trillion by 2020. This and other news led U.S. Commerce Secretary Penny Pritzger to say, “I think we need to … have a real look at the issue of privacy and where you draw the lines and what are the rules … I don’t think there is consistency or clarity right now … in terms of what companies are collecting and what they can do with that data.” [Full Story]

WW – IAPP and CSA Announce New Strategic Alliance

The IAPP announced that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes. [IAPP] See also: [NSA Snooping Triggers Foreign Business Flight From US Cloud Services]

WW – How Algorithms Can Probe and Influence Consumer Behavior

Pandora’s Internet radio service has begun mining user preferences to better determine the types of ads that will be most engaging. Pandora’s chief scientist said, “It’s becoming quite apparent to us that the world of playing the perfect music to people and the world of playing perfect advertising to them are strikingly similar.” According to the report, some businesses are attempting to differentiate themselves by creating algorithms that not only understand their consumers’ behavior but also try to influence their behavior. One computer science professor said, “I would guess, looking at music choices, you could probably predict with high accuracy a person’s worldview,” including “people’s stance on issues like gun control or the environment” or, in some cases, political party affiliation. [The New York Times]


Law Enforcement

US – Study Finds NSA Phone Metadata Collection Not Effective Against Terrorism

A study from the New America Foundation finds that the NSA’s bulk collection of phone metadata “has had no discernible impact on preventing acts of terrorism.” The NAF analyzed the cases of “225 individuals … charged in the United States with an act of terrorism since 9/11.” In the majority of instances, conventional investigative methods provided the impetus to open the case. The study found that just one case had been initiated due to information obtained through the wholesale data collection. [Washington Post] [Ars Technica] [Study] See also: [Hong Kong Bar Association opposes planned drug testing scheme]



CA – Making a Business on Phones’ Continuous Broadcasting

Turnstyle Solutions is a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” [The Wall Street Journal]

US – YP Acquires Sense Networks

Search and advertising company YP has confirmed its acquisition of Sense Networks. YP’s David Lebow confirmed that “acquiring Sense’s technology, with its ability to create custom consumer profiles for use in mobile ad targeting, will give YP a real competitive advantage,” the report states. Lebow has suggested the deal is part of YP’s shift from more traditional publishing models to “placing a premium on technology.” [Tech Crunch]

WW – Tracking Device Lets Mom and Dad Track Junior

A new tracking device allows parents to track their children’s movements. FiLIP is a phone for children allowing parents to install a free app on their mobile devices to link to FiLIP to follow its location. It allows parents to set a “safe zone,” which sounds an alarm if a child wearing a FiLIP device travels beyond it. [The New York Times]



SG – Companies Can Send Certain Messages Without Checking DNC Registry

The Personal Data Protection Commission (PDPC) of Singapore has determined companies are allowed to “send marketing messages to customers that have registered to be listed on a new Do-Not-Call (DNC) Registry under certain circumstances.” While businesses are required to consult the DNC Registry before sending messages—and face fines in certain circumstances—”a new exemption allows businesses to send either text or fax messages to promote ‘related products and services’ to individuals they have an ‘ongoing relationship’ with,” the report states, noting in such instances, companies are not required to consult the registry first. “As the exemption order does not apply to voice calls, organizations are still required to check against the DNC Registry before making telemarketing calls,” the PDPC said. [Out-Law]


Online Privacy

WW – Privacy-Enhancing Phone, Dating App Unveiled

The creators of Silent Circle announced they will unveil a privacy-enhancing smartphone called Blackphone. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. [GigaOM] SEE ALSO: [Engineers and Lawyers in Privacy Protection: Can We All Just Get Along?]

WW – Twitter Scores Points for Privacy; Messaging Apps Compete

An Electronic Frontier Foundation (EFF) report on how companies respond to government data requests has given Twitter its highest rating for protecting privacy. The EFF examined companies on criteria including transparency, whether they require warrants and if they fight for users’ privacy in courts. Twitter and Internet access company alone “earned a ‘star’ for all six categories,” the report states. Meanwhile, in the wake of a recent breach, Snapchat has reportedly “at times, given law enforcement unopened snaps.” New iOS application Confide is responding with its own message service, and one investigative report finds that “Confide’s encrypted storage of message contents are indeed a step above Snapchat’s plain text storage … But totally self-destructing, these messages are not.” Separately, The Exchange reports on concerns over a new tracking feature on Apple’s iPhone. [Business Insider]


Other Jurisdictions

AU – Australian DPA Issues Further Guidelines on Australian Privacy Principles

The Australian data protection authority, the Office of the Australian Information Commissioner (OAIC), has issued two sets of guidelines on the Australian Privacy Principles (APPS) that will provide the framework for Australia’s Privacy Amendment (Enhancing Privacy Protection) Act 2012 scheduled to take effect beginning 12 March 2014. The most recent sets of guidelines relate to rights of data subjects under APP 12 ‘access to personal information’ and APP 13 ‘correction of personal information’.

Key points to note from APP 12:

  • APP entities that hold personal information about individuals must give individuals access to that personal information on request (whether in writing or otherwise informally).
  • Applications for access requests must be free of charge, and any charges relating to providing the information must not be excessive.
  • The right to access information under APP 12 operates alongside other legal procedures, e.g., the Freedom of Information Act (FOI Act).
  • APP entities can refuse to grant access to information by providing the individual written notice justifying the circumstances for refusal. These circumstances include the grounds for refusing consent under the FOI Act, as well as the following:
  • Reasonable belief that giving access would pose a serious threat to life, health or safety of an individual
  • Access would have unreasonable impact on privacy of other individuals
  • The request is frivolous or vexatious
  • Information relates to anticipated or existing legal proceedings and would not be disclosable under discovery
  • Access would reveal intention of negotiations with the individual or would prejudice enforcement activities for misconduct
  • Access would reveal information in connection with a commercially sensitive decision-making process
  • Giving access would be unlawful
  • APP entities must respond to access requests within 30 calendar days by either providing a notice of refusal or granting access in the manner requested by individual.

They key points to note from APP 13:

  • APP entities must take reasonable steps to correct personal information to ensure information held is accurate, up-to-date, relevant and not misleading.
  • Privacy policies must provide a mechanism for individuals to make a request to an APP entity for correction of their personal data.
  • Reasonable steps must be taken to notify other APP entities of the correction.
  • Individuals who request that their information be corrected but are refused must be provided with a complaint mechanism and written notice of the grounds for the refusal to correct the information.
  • It is not permissible to impose any charge on individuals for requesting the correction of their personal information.
  • APP entities must respond to requests for correction within 30 calendar days by either correcting the information or notifying the individual of the grounds for refusing the correction. []

AU – Australian Privacy Act Changes to Introduce Risky Uncertainties

Changes to the Australian Privacy Act are bound to trigger the same uncertainties introduced by the USA’s Sarbanes-Oxley (SOX) legislation, with organisations at risk of financial and reputation damage if unable to adjust to the challenges, according to Centrify APAC regional director, Matt Ramsey. “SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive; it tells you to jump, but not how high. As a result, US corporations need to jump a very high bar to avoid the threat of non-compliance.” From March, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will implement a new set of harmonised privacy principles to regulate the handling of personal information by both Australian businesses and government agencies. Ramsay attributes the revisions to Cloud services and mobility. Ramsey claims these changes risk the cost and compliance challenges of the SOX legislation as it will require organisations to “take reasonable steps” to demonstrate compliance without specifying exact obligations. [Source]

AU – Australia: Will Entities Use Privacy Act “Get Out of Gaol Free” Cards?

In a series of blogs, Brett Winterford explores “the improbability of Privacy Act compliance,” noting that as the 12 March deadline looms, “Australia’s new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services.” Winterford advises organisations that use or plan to use “public cloud computing services that are hosted offshore … consider Australia’s amended Privacy Act in detail.” Winterford also details the Office of the Australian Information Commissioner’s “two ‘get out of gaol’ cards“—commensurate contract and consent—that “corporate Australia will make use of.” [IT News]

AU – Australian Orgs Should Set Responsible Disclosure Expectations

Highlighting cases where organisations were informed—sometimes by researchers or “white hat” hackers—of vulnerabilities but did not take appropriate action, Bugcrowd’s Jonathan Cran is quoted as saying, “It really comes down to ‘don’t be a jerk’—on both sides. But that’s not legally scalable … Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing.” Cran discusses the importance of organisations becoming “proactive in defining ‘reasonable’ or ‘responsible’—and setting expectations” or researchers are left “to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they’ve found.” [ZDNet]


Privacy (US)

US – Obama to Endorse Some NSA Changes; Telcos Off the Hook

President Barack Obama is expected to comment on possible changes to NSA surveillance reform. Though he is “expected to endorse changes to the way government collects millions of Americans’ phone records,” he will likely leave specific changes and decisions to an already divided Congress, the report states. In his speech, Obama is also expected to announce further privacy protections for non-U.S. citizens, and according to The New York Times, he will propose an advocate within the Foreign Intelligence Surveillance Court (FISC) but will not back a plan to have telecommunications firms retain metadata. PC World reports that FISC judges are not supporting calls for a privacy advocate within the court, and Politico reports that the Center for Security Policy has issued a report rejecting most of the recommendations set forth by an intelligence review group. Meanwhile, all five members of Obama’s intelligence review group testified before the Senate Judiciary Committee yesterday.

US – Obama to Announce NSA Recommendations This Week

President Barack Obama will announce the results of his review of the NSA surveillance programs on Friday, January 17. Privacy and Civil Liberties Oversight Board (PCLOB) Chairman David Medine, who met with the president last week, said, “We wanted to be able to provide input into the decision-making process.” The PCLOB is expected to release its own findings on January 23. The Hill reports on how Obama’s decisions around NSA reform have put his legacy on the line. Meanwhile, the European Parliament’s decision to have Edward Snowden testify on NSA surveillance programs has divided MEPs due to fears it could damage EU-U.S. relations. Politico reports that, based on last week’s Consumer Electronics Show, fears of NSA spying have not affected consumers’ excitement for emerging technology. However, according to a new survey , a quarter of Canadian and UK businesses are looking away from U.S.-based cloud storage companies due to NSA spying. [Source] See also: [SCOTUS Is Scared of Tech, But Privacy Pros Can Help]

US – Lawmakers Unsure of Obama’s NSA Reform

President Barack Obama met with a group of “hand-picked” lawmakers to discuss potential reform to the NSA surveillance programs. The meeting included proponents of existing programs—such as Sen. Diane Feinstein (D-CA)—and vocal critics, including Rep. Jim Sensenbrenner (R-WI). Several of the lawmakers left the meeting unconvinced the president was going to reform the programs enough. House Judiciary Chairman Bob Goodlatte (R-VA) said, “it’s increasingly clear that we need to take legislative action to reform” the agency’s intelligence gathering. Sen. Ron Wyden (D-OR) said, “The debate is clearly fluid” and that the president “is wrestling with these issues.” The Wall Street Journal reports Obama will extend privacy protections to noncitizens and will restructure the phone data program. Phone carriers could foot a bill of up to $60 million per year if they’re required to retain data for intelligence agencies. The NSA fallout is also prompting several states into action. [National Journal]

US – FTC Director of Consumer Protection Talks Priorities

The FTC’s Jessica Rich discusses her new role as director of the FTC’s Consumer Protection Bureau. Rich says “native advertising” will be big with the FTC in the near future. “I want to make a broader push into mobile, mobile security, mobile payments, making sure we are able to bring mobile investigations, just as we are able to bring brick-and-mortar investigations.” She adds that the time for privacy legislation has come. Meanwhile, recent data breaches at Target and Snapchat have incited calls from Washington, DC, for legislative action and raised questions about the FTC’s efficacy on data protection. [AdWeek]

US – Pamela Jones Harbour Moves to BakerHostetler

Former Federal Trade Commissioner Pamela Jones Harbour has moved to BakerHostetler where she will help lead its privacy and data protection team. Harbour, who served as a commissioner for six years, will work as a partner assisting clients with data breach notifications and assessments as well as advising on data transfers. “This is an exciting time to join the firm’s antitrust and privacy teams,” Harbour said in a statement. [The Hill]

US – Schneier Moves to Co3; Evidon Hires First COO

Co3 Systems has hired security and privacy expert Bruce Schneier as its chief technology officer, while Evidon has hired its first chief operating officer. Schneier currently serves as a fellow at Harvard’s Berkman Center for Internet and Society, board member of the Electronic Frontier Foundation and advisory board member of the Electronic Privacy Information Center. Emily Riley comes to Evidon from her prior role as a digital ad industry analyst for Jupiter Research and Forrester Research and, most recently, as a VP at behavioral targeting firm Audience Science. Riley says Evidon aims to help people understand the trade-off between free digital content and tracking technologies. [AdAge]


Privacy Enhancing Technologies (PETs)

WW – Confide App Erases Your Text Messages After They’re Read

Borrowing a page from Snapchat, a new iOS app promises to let users send self-destructing text messages. Confide is a free message-deleting IM app for iPhone, iPad, and iPod Touch users. You can send text messages to any e-mail address, either by choosing someone from your contact list or manually entering the address. To read your message, however, your recipient must also sign up for a Confide account and download the app. Viewing a message for the first time prompts them to do so. Reading the message on an iOS device requires your recipient to drag a finger across the screen to reveal each word. A read receipt is also sent to you once your message has been read. After the message is closed, though, it disappears for both the sender and the receiver, which is the whole point behind the app. The messages themselves are also private and encrypted to protect them on their journey. [Source]



US – Gov’t Seeks Access to Gun Buyers’ Mental Health Data

The White House announced two new executive actions “that would expand the government’s access to mental health information during background checks on gun buyers,” noting these “clarify what constitutes a mental health problem that might prohibit gun ownership and allow states more wiggle room in disclosing such personal medical information.” One executive action modifies the HIPAA Privacy Rule and allows mental health data “relevant to gun ownership” to be included in the National Instant Criminal Background Check System (NICS), while the other “clarifies what exactly in someone’s mental health history would prohibit them from owning or purchasing a gun.” [The Daily Caller]

US – Pending Legislation Would Require Inspection of Chinese IT Equipment

US legislators in both houses are expected to approve bills that would prohibit certain agencies from purchasing IT equipment manufactured in China until it is inspected by federal authorities. The provision is part of a 2014 fiscal spending package in the House of Representatives. The agencies that would be affected by the bills are the Department of Commerce, the Department of Justice, NASA, and the National Science Foundation. [NextGov] See also: [UAE May Scrap Satellite Deal with France Over Backdoors in US Components]

WW – Microsoft to End Support for Windows XP in April

In what appears to be a concerted effort to urge users to upgrade from Windows XP to a more current version of the operating system, Microsoft has announced that when is stops supporting XP in April, it will also cease support for Security Essentials on XP. [] [Ars Technica]

WW – The Internet of Things Poses a Growing Threat

Bruce Schneier says that embedded systems pose a growing security threat because “there is no good way to patch them.” He notes that two decades ago, PCs were facing a similar challenge, which has been addressed by full disclosure of vulnerabilities and automated patching. However, embedded systems are products of several different companies, none of which has particular incentive to make sure that they are secure. Schneier says that embedded systems vendors need to be pressured to create more secure products; driver software needs to be open-source; and automated update mechanisms need to be used to keep the products secure. ISPs are a likely locus to initiate this shift. [WIRED] See also: [Russia’s Olympic security to set new surveillance standard at Sochi]


Smart Cards

US – Startup Looks to Thwart Credit Card Hacking

A Texas-based start-up is planning to introduce new technology aimed at thwarting credit card hacking attacks like the 2013 holiday shopping season’s high-profile Target breach. Epic One is developing technology that protects credit cards with biometric readers that scan the cardholder’s fingerprint to avoid such hacks. The start-up will introduce its pilot cards later this year. “The root cause of fraud is the exposure of this information,” said Epic One CEO William Gomez Jr., adding, “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information.” [Forbes]



US – Feinstein on Drones: “Proceed with Caution”

Sen. Dianne Feinstein (D-CA) once found “a drone peeking into the window of her home—the kind of cautionary tale she wants lawmakers to consider as they look at allowing commercial drone use.” Speaking as a special witness at a recent Senate Commerce Committee hearing on drones, Feinstein urged that her fellow legislators “proceed with caution.” Feinstein indicated privacy concerns are “significant” and, according to the report, called for “close scrutiny and recommended a search warrant requirement” for government-operated drones and “strong, binding enforceable privacy policies that govern drone operations … before the technology is upon us.” [Politico] See also: [US: Border-patrol drones being borrowed by other agencies more often than previously known]

US – NSA Using Radio Tech to Snoop on Machines Not Connected to Internet

The NSA has put malware on 100,000 computers that allow it to conduct surveillance, even when the machines are not connected to the Internet. The NSA has been using the technology since 2008. The technology involves the use of small transceivers and in some cases, small circuit boards placed inside targeted machines. [NY Times] [ComputerWorld] [NBC News] [Ars Technica] [SC Magazine] []

US – FISC Jurists Oppose Transparency, Oversight  Recommendations

Current and former Foreign Intelligence Surveillance Court judges says that White House task force recommendations for change to court procedures would place a greater burden on the court and hinder its ability to do its job. The letter, written by former FISC Chief Judge John D. Bates, expresses the jurists’ opposition to appointing an independent privacy advocate to represent public interest; requiring the FISC judges’ approval for national security letters; broadening the selection process of FISC judges; and the cessation of the NSA’s phone call metadata collection program. [Washington Post] [LA Times] [ComputerWorld] [CNET]

US – Both NSA Metadata Gathering Rulings Will be Appealed

Both recent rulings regarding the legality of the NSA’s phone metadata gathering program will be appealed. On Thursday, January 2, the ACLU filed a notice of appeal in its lawsuit challenging the data collection program; Judge William Pauley III dismissed the ACLU’s challenge the previous week. On Friday, January 3, the US Justice Department (DOJ) filed an appeal of a ruling from Judge Richard Leon in Klayman v. Obama, which found that the NSA’s data collection likely violates the constitution. [ComputerWorld] [ZDNet]

US – NSA Metadata Gathering Program Might Not Reach Supreme Court

If each of the federal judges’ rulings on NSA data gathering is upheld on appeal, it is likely the Supreme Court would step in to resolve the issue. However, according to Orin Kerr, a Fourth Amendment scholar at George Washington University, it is not a sure thing. Kerr points out in a Volokh Conspiracy post that the provision of the Patriot Act (Section 215) that is being held up as license to continue the snooping expires on June 1, 2015. By that time, legislators will likely be debating the issue, and this “lessens the likelihood of the Supreme Court stepping in to the debate at that time, both because the issue may be mooted by statute and because the Court may feel that statutory regulation is preferable to constitutional regulation in this context.” [WIRED] [Orin Kerr’s post] In the meantime, the Foreign Intelligence Surveillance Court (FISC) has renewed the NSA’s phone data collection program. The FISC has to renew the program every 90 days. The court makes clear that the program does not permit the NSA to collect the content of phone calls. [SC Magazine]

US – States Respond to Citizens’ Surveillance Concerns

While states don’t have the authority to shut down NSA surveillance, many state lawmakers are doing their best to enact legislation that will put limits on state and local law enforcement’s abilities. The need for limits on government surveillance of U.S. citizens is one of the few things Democrats and Republicans seem to agree on; according to a USA Today report, “the same proportion of Democrats and Republicans said they are more worried about their civil liberties than they are about terrorism.” From cellphone location data to drones, online browsing to license-plate scanning, coast to coast and left to right, state lawmakers are proposing anti-surveillance laws. In fact, Wisconsin Rep. David Craig noted, “There are so many different facets of technologies that can be misused that lawmakers need to keep our heads on a swivel.” Well, in this legislative session, it seems there’s a bill out there trying to stop every one of them. Many anti-surveillance bills have already become law, but here are some that are on their way down the pike. [US – NSA Insiders Reveal What Went Wrong]

Arizona – Arizona Sen. Mae Beavers (R-Mt. Juliet) says she will introduce legislation requiring state and local police agencies to obtain a warrant prior to “accessing or retrieving” residents’ location data through an electronic device, reports The Chronicle of Mt. Juliet. “We cannot let technological advances sidestep the Fourth Amendment,” said Beavers, who plans to model the legislation after a Montana law. And, as the Privacy Tracker previously reported, Sen. Kelli Ward (R-Lake Havasu City) also plans to introduce a bill to prohibit state and local law enforcement from providing support to the NSA and state-owned utilities from providing services to NSA facilities.

California – California Sens. Joel Anderson (R-San Diego) and Ted Lieu (D-Torrance) have introduced the Fourth Amendment Protection Act, which would make information collected by the NSA without a warrant inadmissible in state court. The law would also ban University of California and California State University employees from establishing “NSA research facilities or recruiting grounds,” reports Raw Story. The OffNow Coalition, a faction of the Tenth Amendment Center, helped to develop this bill along with other similar bills being considered in Oklahoma, Missouri and Kansas.

Indiana – The Indiana House Courts and Criminal Code Committee had its first hearing on a bill that would limit law enforcement’s use of drones and other surveillance equipment on private property, reports Rep. Eric Koch (R-Bedford) authored the bill, which requires search warrants for electronic surveillance or data collection, with some exceptions.

Kansas – As previously reported, State Rep. Brett Hildabrand (R-District 23) has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing.

Maryland – Maryland Sen. Christopher Shank (R-Washington) announced plans to introduce four bills during the current Assembly that would restrict the ways local and state police use technology to monitor e-mail, location tracking through cell towers and license-plate readers, reports Herald Mail Media. Three of the four bills would require law enforcement to get a warrant, rather than a court order, prior to beginning surveillance activities, increasing the burden of proof for approval.

Massachusetts – Rep. Jonathan Hecht (D-Watertown) has introduced legislation that would put a 48-hour limit on police retention of data obtained through license-plate readers, unless it is directly related to an investigation.

Michigan –Rep. Sam Singh (D-East Lansing) wants to see limits on license-plate readers (LPRs) in that state, reports Landline Magazine. “His bill would prohibit LPRs from recording pictures of drivers, require that local department-level policies govern their use and allow the attorney general’s office to ban use of the technology at agencies found in violation,” the report states, noting, “The bill would also mandate that license-plate records collected by the readers must be deleted from data systems within 48 hours after they were collected. An exception would be made when the record is linked to criminal activity.”

Missouri – Sen. Will Kraus (R-Lee’s Summit) has filed SB 599 to restrict “the storage and use as evidence of data collected through automated license-plate reader systems.” The bill would require jurisdictions that collect data using an automatic license-plate reader to delete that data after 30 days,” according to Kraus’s website.And, as previously reported, a resolution proposed in the state would make information including e-mails, phone records and Internet records obtained without a warrant inadmissible in court

New Hampshire – While New Hampshire is currently the only state that prohibits the use of license-plate scanners, the House will consider a bill this week to authorize their use, reports CBS.

New Jersey – The New Jersey Assembly has approved new requirements for law enforcement and fire departments’ use of drones, reports The Star-Ledger. The bill had bipartisan sponsorship and passed 74-1. While it is very similar to a bill passed in the New Jersey Senate last summer, this bill includes a warrant requirement, which sponsors say would help protect personal privacy as that technology becomes more common. Reps. Amy H. Handlin (R-District 13) and Caroline Casagrande (R-District 11) in November introduced a bill that would require “judicial approval prior to installation or use of automated license-plate reader by law enforcement agency.”

Ohio – In Ohio, HB 69 would “prohibit the use of traffic law photo-monitoring devices by municipal corporations, counties, townships and the State Highway Patrol to detect traffic signal light and speed limit violations, except in certain circumstances.”

Oregon – Within the next month, Oregon lawmakers are expected to introduce at least three bills aimed at preserving privacy. The Oregonian reports the three known proposals will include one to limit the use of license-plate readers by law enforcement agencies; another to “exempt from public records laws the travel histories linked to electronic fare cards the transit agency plans to introduce in a few years,” and the last is aimed at prohibiting law enforcement agencies from obtaining cellphone location data, Internet, e-mail and social media account data and television-watching history without a warrant, except in certain circumstances. These proposals will come on the heels of the passing of a law that limits drone use by law enforcement in the state.

Virginia – Del. Bob Marshall (R-13th District) is sponsoring legislation that states, “a cellular phone or other wireless telecommunications device is a tracking device when it is used to track the movement of a person and that such use requires a warrant issued by a judicial officer.”

Wisconsin – Reps. David Craig (R-Vernon) and Fred Kessler (D-Milwaukee) and Sen. Tom Tiffany (R-Hazelhurst) introduced legislation last November that would limit police us of license-plate scanning. According to a Wisconsin State Journal report, “The bill would allow the cameras to be turned on only during the investigation of a crime. It also would prohibit sharing the stored information with nongovernment entities and require data destruction within 48 hours, unless it was necessary for a criminal investigation.”

US – Tracking Equipment Keeps Getting Cheaper, Study Finds

New research published in The Yale Law Journal by independent researcher Ashkan Soltani and New America Foundation’s Open Technology Institute Policy Director Kevin Bankston has found that the cost of tracking the location of an individual is growing dramatically cheaper. Based on work submitted to the Privacy Law Scholars Conference in 2013, Soltani writes on his personal blog, “tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.” Soltani also notes, “If technical and financial barriers previously provided some protection from large-scale surveillance by the government, these implicit protections have been essentially eliminated by the low costs of new surveillance technology,” adding, “Once the cost approaches zero, we will be left with only outdated laws as the limiting function.” [Ashkan Soltani]

US – “Granny Cams” Raise Privacy Concerns

The use of surveillance cameras or “granny cams” in nursing homes is a practice that is currently legal in Oklahoma, New Mexico and Texas, “to collect evidence of abuse and neglect.” While their use has positive implications for stopping abuse, the report cautions there are privacy implications not only for patients but for roommates, visitors and caregivers. In addition to the potential invasion of patients’ privacy during such personal activities as bathing, the report notes that those with dementia may be unable to consent to the surveillance. [AARP Blog]


Telecom / TV

US – Telcos Not Warming Up to Obama’s Retention Plan

Telephone companies are “quietly hesitating” at a potential plan to have them alter how they collect and retain Americans’ phone records to help the NSA’s surveillance programs. According to the report, phone company executives and their lawyers have said they prefer the NSA to keep control over the records. A representative from CTIA-The Wireless Association said, “Our members would oppose the imposition of data retention obligations that would require them to maintain customer data for longer than necessary.” One key concern for the phone companies is liability. Former NSA official Stewart Baker said Congress “grudgingly” gave legal protection to phone companies after the 2001 terrorist attacks. “The phone companies were seared by their experience in Congress and can’t be enthusiastic about a return engagement,” he added. [The Associated Press]


US Government Programs

US – Court Upholds “Reasonable Suspicion” Requirement for Device Searches

The US Supreme Court has let stand an appellate court ruling that says border agents may search electronic gadgets without reason for suspicion. However, the lower court ruling also found that for the border agents to conduct in-depth forensic analysis of the devices, they must have reasonable suspicion of criminal activity. The case involves a California man whose laptops and cameras were seized and searched upon his return to the US from Mexico. The agents found evidence of child pornography on the devices. The appellate court ruled that the agents did have reasonable suspicion to search Howard Cotterman’s devices because his name was on a watch list as he is a convicted sex offender and travels frequently to places known for sex tourism. While agents are allowed to search devices on a whim—just as they would a vehicle—the court upheld the appeals court ruling that using software to “decrypt password-protected files or to locate deleted files” cannot be done without facts pointing to illegal activity, the report states. [WIRED] [ComputerWorld]

US – FISC Approves Gov’t Metadata Collection

National Intelligence Director James Clapper released a memo stating that the government has filed an application with and received approval from the Foreign Intelligence Surveillance Court to collect telephony metadata in bulk. “It is the administration’s view … that the telephony metadata collection is lawful,” the memo states. Meanwhile, The New York Times reports on a federal appeals court ruling that allows the Justice Department to continue to withhold a memo that allegedly “opened a loophole in laws protecting the privacy of consumer data.” The Times also reports on Jill Kelley, who is seeking damages and an apology from the government for revealing her name in the David Petraeus scandal. Washington University in St. Louis Prof. Neil Richards said, “This case shows that privacy is really important and that the legal rules we have are not tailored for modern technology.” [NBC News]

US – One-Hour Breach Mandate Is Wasteful, Says GAO Report

A GAO report released last month calls into question the effectiveness of new U.S. Office of Management and Budget (OMB) rules that require federal agencies to report PII-related data breaches to the Department of Homeland Security within an hour of their discovery. Further, “OMB staff said that they were unaware of the rationale for the one-hour timeframe, other than a general concern that agencies report PII incidents promptly,” the report reads, while saying that agencies are likely to have little to report with so little time to investigate what happened and why. Meanwhile, there are privacy hurdles to overcome with teenagers and new online patient portals. How much information should parents be allowed to see, and how can that be controlled? [FierceGovernmentIT]


US Legislation

US – Sens. Push for More Data Privacy; FTC Wants “Regulatory Humility”

US senators are calling for action on data privacy legislation in the wake of the Target breach, while on the same day, Federal Trade Commissioner Maureen Ohlhausen called for “regulatory humility” in light of the emerging Internet of Things market. Sen. Deb Fischer (R-NB) said, “Our nation’s entire data security system is in desperate need of revamping … That’s going to require congressional action.” Sen. Patrick Leahy (D-VT) also reintroduced his Personal Data Privacy and Security Act . Amidst such calls for legislative action, Ohlhausen said in prepared remarks at the CES that if new technologies do give rise to harms, “we should carefully consider whether existing laws and regulations are sufficient to address them before assuming that new rules are required.” Meanwhile, in light of a recent GAO report, Sens. Tom Coburn (R-OK) and Susan Collins (R-ME) are calling on agencies to adhere more strictly to federal guidelines and for the Office of Management and Budget to update its policies and increase oversight of breach procedures. [The Hill]

US – Documented Consent Needed to Avoid TCPA Claims

A federal court has denied a motion to dismiss a Telephone Communications Protection Act (TCPA) case, indicating that companies need to have proof of consent in order to avoid TCPA claims. The case involves a customer offering up her cellphone number in a loan application, which the Federal Communication Commission (FCC) has held as a valid form of prior consent; however, the company did not produce the customer’s actual application but an example of the application the company used at the time. “Were Defendant CheckSmart able to submit Plaintiff’s actual loan application showing that she provided these phone numbers, the court would need to evaluate the issue further,” wrote Judge Karon Owen Bowdre. According to the report, this serves as “a reminder that companies should ensure that they collect and retain sufficient documentation of compliance with the TCPA.” [Inside Privacy]

US – Ohlhausen: We Don’t Need New Laws

Law360 reports that during a Technology Policy Institute event last week, FTC Commissioner Maureen Ohlhausen pushed for government officials to “focus on enforcing the powerful laws we already have,” adding, “We simply do not need new talk, new laws or new regulations.” Ohlhausen voiced her opinion that Big Data doesn’t raise “fundamentally new issues,” and before assuming new rules are needed, officials should consider whether existing law will address problems that arise from new technologies.

US – House Passes Two ACA Security, Transparency Bills

On January 10, the House of Representatives passed the Health Exchange Security and Transparency Act that would require the Department of Health and Human Services to notify individuals within 48 hours of a health exchange breach. While House Republicans say it’s important for patients to know of breaches quickly, President Barack Obama has said it would mean “unrealistic and costly paperwork requirements,” noting that it does nothing to improve perceived security flaws in the exchanges. The bill is expected to fail in the Senate. [HealthIT Security] On January 16, it passed the Exchange Information Disclosure Act, which, among other provisions, would mean Congress would receive weekly reports on technical problems with, “including those related to consumer privacy and data security,” [reports GovInfo Security]

US – 20 Bills to Watch This Year

Inside Privacy offers up a list of pending legislation that privacy professionals should keep an eye on this year. Included in the list are the Personal Data Privacy and Security Act of 2014, the Electronic Communications Privacy Act Amendments Act of 2013 and the Drone Aircraft Privacy and Transparency Act of 2013 in the Senate and in the House, the Do Not Track Kids Act, the Cyber Privacy Fortification Act of 2013 and the GPS Act.

US – CA Rep. Introduces NSA Collection Restructuring Bill

Rep. Adam Schiff (D-CA) has introduced a proposal that would eliminate call records from the types of information the government can collect under the USA PATRIOT Act, according to a press release. Instead, approval from the Foreign Intelligence Surveillance Court would be required to access call records on a case-by-case basis. The bill “mirrors the restructuring of the telephone metadata program recommended by the President’s Review Group on Intelligence and Communications Technologies, as well as changes that Congressman Schiff has been advocating for since before the metadata program was made public,” the release states.

US – Proposed California Bill Would Ban Agencies from Helping NSA

Two California state senators have introduced legislation that would prohibit state officials, state agencies, and companies providing services to the state from helping the NSA with surveillance without a specific warrant. Information gathered without such a warrant would be inadmissible as evidence in California courts. State and locally owned utilities would also be prohibited from supplying NSA facilities with water and electricity. [ComputerWorld] [SC Magazine]

US – CA Bill Would Prohibit Selling of License-Plate Camera Data

Sen. Jerry Hill (D-San Mateo) has introduced SB 893, which would prevent police from selling data from license-plate reading cameras to privacy parties, while still allowing them to use the data in investigations. The bill would also require police to obtain a warrant to access license-plate data more than five years old and allow victims to sue and recover damages. [The Almanac]

US – Florida to Reconsider Prescription Drug Database

State Senator Aaron Bean (R-District 4) is drafting a bill that would restrict access to the state’s prescription drug database. The Florida Department of Health last year gave defense attorneys the prescription histories of 3,300 people. Bean claims this was outside the scope, and the incident inspired him to write legislation to address it. [WOKV]

US – Maine Considering Social Media Bill

LD 1194, sponsored by Rep. Michael McClellan (R-Raymond), would prohibit employers or educational institutions from requiring a student, employee or prospective employee to provide access to social media or personal e-mail accounts.  Opponents of the bill say it could make it harder for school officials to address cyberbullying; however, an ACLU of Maine representative said provisions in the bill allow for schools to access an account after contacting a parent in specific circumstances. The Judiciary Committee is scheduled to consider the bill again this week. [Kennebec Journal]

US – Maryland to Consider Anti-Surveillance Package

A bipartisan group of lawmakers in Maryland introduced a package of bills that would require state and local police to get a warrant before intercepting e-mail communications or tracking individuals using drones, mobile phones or license-plate readers, reports The Washington Post. “The technology has gotten way out in front of the law,” said Sen. Jaime Raskin (D-Montgomery).

US – South Carolina Considers Digital Privacy Legislation

Members of the South Carolina House say they plan to pass a digital privacy law this year that would give similar protections to mobile phones as afforded to homes, reports House Speaker Bobby Harrell (R-Charleston) says since the 2012 breach at the Department of Revenue, the issue of protecting citizens’ data has gained momentum, noting, “In today’s society, privacy is becoming a harder and harder thing to protect.” A state law enforcement spokeswoman said officers have concerns that a digital privacy law would “affect our ability to get violent offenders off the streets.”

US – NH Reps. Introduce State Drone Privacy Bill

After a failed attempt to pass a drone privacy bill last year, New Hampshire Reps. Neal Kurk (R-District 2) and Joe Duarte (R-District 2) have introduced bills requiring police to get a warrant in order to use information obtained through drone use in court. In an effort to thwart concerns voiced last year, Kurk’s bill includes a provision stating that it would only take effect if allowed under federal law. [Associated Press]

US – Washington Sen. Calls for Student Data Study

Rep. Elizabeth Scott (D-Monroe) has sponsored a bill calling for a study into how much student data is being released without consent. The bill aims to help the legislature decide whether it should change data handling practices. Scott says she’s concerned about changes to the Family Educational Rights and Privacy Act that allow personally identifiable data to be shared with companies, adding that the growth of programs like the Common Core State Standards will increase the amount of data collected. The House Education Committee is scheduled to discuss the bill on Wednesday. [KUOW]

KY – Kenyan Official to Get Access to Mobile Network User Info

The Kenya Information and Communication Amendment Act 2013 is expected to be signed into law this week and would mean the Communications Commission of Kenya (CCK) would have unlimited access to mobile network consumers’ confidential information. There are questions surrounding the constitutionality of the act, however. While one article guarantees citizens a right to privacy, another—used to justify the regulation—allows any citizen access to “information held by the state or any information that is held by another person and that is required for the exercise or protection of any right or fundamental freedom,” the report states. [ITWeb Africa]

US – U.S. Lawmakers to Introduce Bill on Driver Privacy

Privacy concerns based on increasingly sophisticated technology systems in cars. While automakers say they are responding to consumer demand, privacy advocates disagree. Sens. John Hoeven (R-ND) and Amy Klobuchar (D-MN) will soon introduce a bill that would put car owners in control of the data collected on the vehicle event data recorders commonly known as black boxes. “We’ve got real privacy concerns on the part of the public,” Hoeven said. “People are very concerned about their personal privacy, especially as technology continues to advance.” [The New York Times]

US – Court Denies Suit Alleging Data Broker’s Liability

The U.S. Supreme Court has denied a New York man’s request to hold a data broker liable for illegally selling data taken from Department of Motor Vehicles records. The records were sold to a stranger who allegedly tracked down Erik Gordon and harassed him. The court “refused to grant certiorari” to Gordon’s challenge to a Second Circuit ruling, which rejected his efforts to sue Softech International for the alleged privacy breach. [Law360]

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Full Story]

US – Kentucky May Become 47th Breach Notification State

Breach notification bills are beginning to pile up in the U.S. Senate, and lawmakers in Kentucky have introduced data breach notification legislation that, if passed, would make Kentucky the 47th state to enact such legislation. One expert says there currently isn’t support for a bill covering the private sector, but there is for the public sector. [GovInfoSecurity]

US – Anti-NSA Surveillance Legislation Proposed in MO and KS

A resolution proposed in Missouri would make e-mails, phone records and Internet records, among others, obtained without a warrant inadmissible in court, reports Tenth Amendment Center. SJR 27 proposes an amendment to the state’s constitution that adds “electronic communications and data” to the list of things protected from unreasonable searches and seizures. In Kansas, State Rep. Brett Hildabrand has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing. “The bill would ban all state and local government in the state from ‘possessing or attempting to possess’ such information unless a person gives ‘express and informed consent,’ or the local or state government ‘obtains a warrant, upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized,’” the report states. [The Washington Times]

CY – New Data Protection Bill in the Caymans Expected

After receiving less-than-positive feedback last time it was introduced for comment, a revised data protection bill is expected to come before the Legislative Assembly in the coming year. The bill would apply to both public- and private-sector organizations in the Cayman Islands as well as “entities outside the islands that have certain data processing functions here,” the report states. The Human Rights Commission has reviewed the bill and passed it along to the Legislative Assembly, identifying some concerns including the complexity of the bill. []

US – PA Bill Would Expand DNA Collection

The Pennsylvania House of Representatives is considering a bill that would require police to collect DNA samples from people arrested for any felony or misdemeanor that requires registration as a sex offender. Senate Majority Leader Dominic Pileggi (R-DE) introduced the bill and says passing the bill would put the state on par with others that have expanded their DNA databases. [TribLive]

US – Trends for 2014? Try Increased Enforcement

California’s Do-Not-Track (DNT) law has gone into effect, mandating websites indicate in their privacy policies how they respond to DNT signals. Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis said, “There’s always smoke in a handful of state legislatures, but there’s only fire in California.” In light of NSA surveillance of Europe, the EU is expected to come down strong on its Safe Harbor agreement with the U.S. ZwillGen Privacy Counsel Mason Weisz said, “The Europeans are upset, and I think there will be some attempt to placate them in the U.S.” Finally, industry and federal enforcement is expected. The Better Business Bureau has promised to increase enforcement in the behavioral advertising ecosystem, while the FTC is expected to bolster enforcement of the recently updated Children’s Online Privacy Protection Act. With pressure from industry and federal regulators, Weisz said it will “encourage companies to make more representations … and more representations means more risk.” [AdAge]


Workplace Privacy

US – Balancing Wellness Programs and Proper Data Sharing

HR pro Michelle Hicks writes on the proper way to balance implementation of wellness programs at your firm while being mindful of employee privacy. While these programs offer many benefits both for the employees themselves and for the corporate bottom line, they also “ask employees to share information that is so personal that they may not even tell their spouse,” Hicks writes, “like their weight and their body mass index.” She then walks you through the important questions to be asking, information to be sharing and practices to put in place so that both employer and employee are protected. [Idaho Business Journal]

WW – When the Quantified Self Is In the Office

As the quantified-self movement continues to grow more popular, how does it fit into the workplace? Stanford Graduate School of Business Associate Prof. Harikesh Nair said, “It’s definitely an incredible revolution that is going to happen in workplace measurement,” adding it can be a positive development for businesses, giving employers clearer insight on how their employees interact with one another and what makes them successful, the report states. One company is using wearable devices to track its sales staff to improve responsiveness and productivity—which has shown a five- to 10-percent raise in productivity gains. [Fast Company]

US – Overview of Workplace Privacy Legislation for 2014

New laws that went into effect on January 1 are a harbinger of what employers may expect to see in the coming year regarding workplace privacy: more restrictions on access to applicants’ and employees’ criminal history, credit information and personal social media content. To further complicate the challenges of addressing privacy in the workplace, employers will be required to grapple with next-generation issues raised by the use of social media as a business tool and the increasing adoption of bring your own device (BYOD) programs. As reflected in the summary below, the ever-shifting balance between employer prerogative and employee privacy likely will continue to move in a direction that favors employee privacy.

Criminal History Information: With the start of 2014, Minnesota and Rhode Island joined the wave of jurisdictions that have “ban-the-box” legislation. These laws generally prohibit employers from requesting criminal history information in the employment application. Ban-the-box laws have also been enacted in Buffalo, NY; Hawaii; Massachusetts; Newark, NJ; Philadelphia, PA, and Seattle, WA. Similar bills are pending in 26 states. These laws create challenges for employers because they establish both varying rules on the point in the hiring process at which an employer can request criminal history information and different procedural requirements surrounding such requests. Also effective on January 1 is a new California law that prohibits employers from asking about or considering information concerning applicants’ criminal convictions that were judicially dismissed or ordered sealed. This new law adds to a growing list of state law restrictions on employers’ inquiries into criminal history information—in addition to restrictions on inquiries about criminal history in the employment application. In addition to new legislation in this area, employers likely will also see continued aggressive enforcement by the Equal Employment Opportunity Commission (EEOC) regarding employers’ use of criminal history for employment decisions and increased litigation by the plaintiffs’ class action bar which won several seven-figure settlements in 2013 based on employers’ alleged violations of the federal Fair Credit Reporting Act (FCRA) when conducting criminal history checks.

Credit Information: On January 1, regulations implementing Colorado’s Employment Opportunity Act became effective. The law and its implementing regulations are similar to laws enacted in nine other states that restrict the use of credit information for employment purposes. These laws generally prohibit employers from procuring credit information on applicants and employees unless the information is “substantially job related.” However, the laws establish materially different definitions of that key statutory term. The states that have enacted such laws, in addition to Colorado, include California, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington. Similar bills are pending in 35 states. In addition, in December 2013, U.S. Senator Elizabeth Warren introduced a bill that would impose restrictions on employers’ use of credit information for employment purposes that are more stringent than any of these state laws.

Social Media Passwords: On January 1, Oregon became the twelfth state with a “social media password protection” law, joining Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Utah, and Washington. These laws share one common thread: they all prohibit employers from asking applicants for their user name, password or other login credentials for their personal social media accounts, and all of the laws, except New Mexico’s, impose the same prohibition with respect to employees. Unfortunately, beyond that, the laws vary materially in terms of prohibited conduct, exceptions and remedies. Employers will likely face increasing complexity in this area in 2014 as bills addressing access to applicants’ and employees’ personal social media accounts are pending in 15 states.

Other Social Media Issues: Since January 2011, the National Labor Relations Board (NLRB or “Board”) has repeatedly struck down provisions of employers’ social media policies and reversed employer discipline of employees based on employees’ personal social media activity. According to the Board, these employers violated Section 7 of the National Labor Relations Act (NLRA) by implementing policies that interfered with employees’ right to discuss the terms and conditions of employment or by disciplining employees for exercising that right in social media. Because social media have become an integral part of daily life for so many employees, in 2014, employers will continue to confront these issues. Employers also may encounter a new set of issues arising from their growing reliance on social media to advance their business interests. Recent decisions by the NLRB’s administrative law judges and recent statements by the NLRB’s recently confirmed general counsel suggest that if employers allow employees to use corporate social media platforms, such as Yammer or Chatter, or corporate social media pages for non-business purposes, the NLRB will attempt to impose the same restrictions on employers that it has applied to employees’ personal social media activity. In other words, without carefully drafted policies or terms of use, employers run the risk that corporate-sponsored social media sites could be subverted for employees’ complaints about the terms and conditions of employment.

Bring Your Own Device: The “consumerization of IT” will continue to expand in 2014 as more employers hope to reap savings from employees using their personal devices, rather than corporate-owned devices, to conduct their employer’s business. These bring your own device programs pose fundamental challenges for employers seeking to balance the need to safeguard customer and corporate data without unlawfully accessing employees’ personal information. While many employers have addressed the balance through BYOD policies and user agreements, maintaining that balance will become only more challenging to maintain in 2014 from an operational perspective as employees increasingly rely on mobile apps to store sensitive information about themselves, such as blood pressure, blood sugar level and heart rate. For multinational employers, the roll-out of BYOD programs in 2014 to their employees in the European Union and other jurisdictions with broad data protection laws can create even more substantial challenges. In many of these jurisdictions, employers face greater restrictions than in the U.S. on access to an employee’s personal device. In addition, employers must implement systems that will permit data subjects to obtain access to, and update, the data subject’s personal data even when it is stored on an employee’s personal device.

Conclusions and Recommendations: In sum, it is likely that two major trends will continue to play out in 2014 in the area of workplace privacy, and in a direction that favors employees. First, legislators, enforcement agencies and the plaintiffs’ bar will likely continue their efforts to narrow the scope of information that employers can consider when making employment decisions about applicants and employees. Second, technology will continue to blur the lines between work and personal life, with personal life expanding into work life—not the other way around. However, the widening scope of the NLRA and the increasing number of countries with broad data protection laws will compel employers to tolerate this “intrusion” of personal life into work. Employers should consider the following steps in response to these trends:

  • Review existing practices for collecting and using criminal history, credit and personal media information about applicants and employees and implement policies to ensure compliance with state law restrictions on the collection of such information as well as with the federal Fair Credit Reporting Act’s background check requirements;
  • Implement a social media policy, or update the organization’s existing policy, to address recent NLRB decisions with respect to both employees’ personal social media activity and employees’ social media activity on the employer’s behalf;
  • Require that all U.S. employees execute a BYOD user agreement before permitting them to use a personal mobile device to conduct company business;
  • Before rolling out a BYOD program to non-U.S. employees, evaluate whether local law will permit the employer to take the necessary steps (such as access to, and monitoring of, the personal device and remote wipe) to safeguard corporate and customer data and develop systems for complying with requests by data subjects to exercise their rights with respect to data stored on employees’ personal devices.


16-31 December 2013


WW – Advancements in Facial Recognition Raise Privacy Questions

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [The New York Times]

WW – How Reflections in Victim’s Eyes Could Help Identify Perpetrators in Hostage Situations

New research suggests that police investigating crimes in which the victims were photographed may find hidden clues by looking for reflections in victims’ eyes. Pupils, the researchers said, can reveal “surprisingly rich” information, as they essentially act as a “black mirror.” By zooming in on the eyes and adjusting the contrast, police investigators could potentially use high-resolution photographs to identify a victim’s surroundings, including their assailant. The article was written by psychologists Rob Jenkins, of the University of York in England, and Christie Kerr, of the University of Glasgow. To test their theory, the researchers shot “passport-style” photographs of individuals and then zoomed in to recover facial images of bystanders in the reflections of subjects’ eyes. The reflected facial images were typically about 30,000 times smaller than the subjects’ faces. Thus, the quality of the images was not great, the researchers wrote. Despite the poor quality, study participants who were shown eye-reflected images of people they did not know were still able to identify them later in a face-matching test 71% of the time. When shown eye-reflected images of people they did know, study participants were able to identify them 84% of the time. “Our findings thus highlight the remarkable robustness of human face recognition, as well as the untapped potential of high-resolution photography,” Jenkins said in a news release. [The National Post]

WW – Can Robots Better Spot Terrorists at Airports?

Aviation and government authorities are starting to use machines in lieu of people to verify the identities of fliers by scanning their faces, irises or fingerprints. Dozens of airports in Europe, Australia and the U.S. already employ such technology so passengers can pass immigration checks without showing identification to, or talking with, a person. Now, several major airports in Europe have started using these automated ID checks at security checkpoints and boarding gates. Ultimately, the technology could “get rid of the boarding pass completely,” with fliers’ faces serving as their tickets, said Michael Ibbitson, chief information officer of London Gatwick Airport. Gatwick performed a trial this year in which it processed 3,000 British Airways fliers without boarding passes. The fliers scanned their irises when checking in, enabling cameras at security checkpoints and boarding gates to automatically recognize them. “We’re only just starting to see what biometrics can do,” he said. Critics, however, worry that relying too much on automation will dull the senses of human screeners and remove the human intuition that can detect when something just doesn’t seem right. About 28% of the world’s airports now use biometric technology, up from 18% in 2008, according to a survey by SITA, an airline IT provider. [Wall Sttreet Journal]

US – Tech Giants and Privacy Advocates Square Off Over Facial Recognition

Facebook Inc., Wal-Mart Stores Inc. and other companies planning to use facial recognition scans for security or tailored sales pitches will help write rules for how images and online profiles can be used. The U.S. Department of Commerce will start meeting with industry and privacy advocates in February to draft a voluntary code of conduct for using facial recognition products, according to a public notice. The draft will ready by June. The code of conduct will apply only to commercial use, not to how law enforcement or spy agencies may use it. [The Vancouver Sun] [Facebook facial recognition matches abused child’s image to aid in arrest]


CA – Stoddart Departs Commissioner’s Post

Privacy Commissioner Jennifer Stoddart is departing from office and the work she did while there, including taking on big companies like Google and Facebook in defence of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier has stepped up as interim privacy commissioner until Stoddart is replaced. [Vancouver Sun]

CA – Cavoukian Investigating Report of Data-Sharing with Border Services

Ontario Information and Privacy Commissioner Ann Cavoukian will investigate reports of private health information “being shared with U.S. border services, saying it’s a matter ‘of grave concern’ to her.” In an e-mail to the provinces’ New Democrats (NDP), who sought her help, Cavoukian noted her office “will investigate the matter and ensure that the personal health information of Ontarians is not being compromised by any organizations under my jurisdiction,” the report states, noting the NDP’s France Gélinas indicated being “contacted by three people who have been denied entry” into the U.S. based on personal health reasons. “All Ontarians need to be assured that their personal information is never shared without their consent,” Gélinas said. [Huffington Post] SEE ALSO: [Cavoukian Discusses Privacy by Design on U.S. Public Radio] and [Canadian spy watchdog decries ‘misinformation’ flowing from recent Snowden leaks]

CA – Commissioner Calls on Ministry to Take Action After Breach

Saskatchewan Privacy Commissioner Gary Dickson says the Ministry of Highways must take further action after a worker snooped on a driver. Following a traffic incident between a transport compliance branch employee and another driver, the employee looked up the driver’s personal details via the Saskatchewan Government Insurance (SGI) database and then contacted the driver, the report states. The driver then complained to SGI and the Royal Canadian Mounted Police. Employees of the transport compliance branch are permitted to use the SGI database only for certain purposes. The employee has been suspended for 20 days without pay, according to the highways minister, but the privacy commissioner wants stronger action. [Times-Colonist]

CA – Commissioner: Pharmacy Employee Broke Province’s Rules

Alberta Privacy Commissioner Jill Clayton has said a “casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook ‘friend’ a woman who had filed a prescription.” “Employers have a responsibility to inform and train their staff on the appropriate use of health information,” Clayton said, adding, “Health information systems are for healthcare, not matchmaking.” Clayton’s investigation found the employee, who is no longer employed at the pharmacy, misused health information while the pharmacy’s manager did not implement appropriate safeguards. [CBC News]

CA – Opinion: Bill C-13 Is Unnecessary

In a National Post op-ed, George Jonas examines the Protecting Canadians from Online Crime Act, often referred to us Bill C-13 or the anti-cyberbullying law, noting that while he “wasn’t unduly concerned about it when it was being attacked by its critics,” his perspective has shifted “when the government started defending it.” He writes that the critics did little to persuade him that Bill C-13 was a bad law, but “the defenders have convinced me that the law is worse than bad: It’s unnecessary. What it outlaws for a good reason is already against the law; the rest is just the state trying to enter the nation’s computer rooms.” [National Post]

CA – CSEC Sends Strong Message of Privacy to New Recruits

Watch out for foreign spies, hackers, terrorist sympathizers and disgruntled employees. Tell acquaintances you work for a “generic” government agency. Leave any iPods, USB sticks, and cellphones at home. At day’s end, turn off your computers, lock down files, and make sure not to take home anything classified. Spilling secrets means risking going to jail. The “CSEC 101: Foundational Learning Curriculum,” comprises dozens of PowerPoint decks that are intended to help new employees at the Ottawa agency find their feet. The Globe and Mail obtained the 650-page manual through Access to Information laws. [Globe and Mail]


WW – Study: People Willing to Exchange Privacy for Cost Savings

A new survey indicates just how much privacy people are willing to trade in exchange for monetary benefits. The Intel and Penn Schoen Berland survey, which polled people in eight countries, found that 70% would be willing to share data from a “smart toilet” if it meant lower healthcare costs, and 84% would be willing to share vital statistics such as blood pressure or lab tests. The survey also found 75% would be willing to share data obtained via a health monitor they could swallow. [WIRE] See also: [Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships] And also: [Yes, Consent Is Dead. Further, Continuing To Give It A Central Role Is Dangerous]

US – Customized Airline Deals Raise Privacy Concerns

When you go online to search for an airfare, you often see the lowest price appear at the top of your computer screen. But what if your airline search site instead offered you a customized flight package deal—adding extras like wireless Internet access and a seat with extra legroom—based on what you have booked in the past? In the future, airlines will increasingly offer you customized airfares based on detailed information carriers have collected, even data about your income, the neighborhood where you live and your travel patterns, according to industry experts. It’s a trend that worries consumer advocates. “It will be the death of comparison shopping,” said Charles Leocha, director of the nonprofit Consumer Travel Alliance and author on travelers rights. A consumer protection panel, appointed by the U.S. Department of Transportation, will meet in Washington to discuss customized airfare pricing. The panel could recommend a new federal rule that requires airlines to disclose what information they are collecting from travelers. [LA Times]

WW – Study: Consumers Will Pay $5 for an App That Respects Their Privacy

A new report finds that people are weary of the hidden costs of free. A new study from economists at the University of Colorado finds that the average consumer would prefer to pay small fees for their apps, in exchange for keeping their information private and their screens uncluttered. In their study, Scott J. Savage and Donald M. Waldman surveyed 1,700 smartphone users, presenting them with a set of apps they could purchase. One of the apps was a real, free app, currently available in the iTunes and Google Play stores. Five other apps were also suggested, and were said to have exactly the same functionality as the free app. But these five came with varying levels of privacy and advertising protections (some protected location data, others address book contents, and so on), and all had a price tag. What Savage and Waldman found is that consumers were willing to spend a bit more to keep their data to themselves, and just how much depended on which data were at stake. For example, on average, consumers were willing to spend $2.28 for an app that would not read their browser history; $4.05 for an app that would not have access to their contacts; $1.19 for an app that did not track their location; $1.75 for an app that did not obtain their phone’s ID number; $3.58 to prevent an app from having access to the contents of their text messages; and $2.12 for an app that had no advertising. Because the “average” app (as determined from a sample of more than 15,000 Android apps) has both advertising and access to a person’s location and their phone’s ID, Savage and Waldman say that paid versions of such apps could rake in somewhere around $5 per download. That’s way, way more than the pocket change that most free apps bring in per download. What’s more, Savage and Waldman use that $5 figure and to do some back-of-the-envelope figuring: Given that the average consumer in their study has 23 apps, and given how many smartphone users there are in the U.S., they calculated the total amount that consumers would spend, if only the apps were there for them to buy: $16 billion. And that’s the conservative, lower-bound estimate. [Reuters]

WW – Privacy Messages Sent Through Art

Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery. [Source]

US – Consumers Warming Up to Smart Meters

Consumers’ fears over smart meters are beginning to dissipate. That’s according to a survey by Navigant Research, which found the percentage of customers who have “favorable” or “very favorable” attitudes toward smart meters has increased from about 37 percent in 2010 to about 43 percent in 2013. While the numbers are improving, “utilities still have some distance to go in building majority support for these technologies.” [FierceSmartGrid]


US – State Employee Downloaded SSNs to Personal Computer

Despite a warning on computer security, a state employee who resigned last week says he downloaded data on 6,300 teachers so he could work from home. The 24-year-old former Tennessee Department of Treasury worker told authorities he e-mailed data from a state computer system with a personal account. He uploaded a Tennessee Consolidated Retirement System file containing Social Security numbers on active teachers, violating the treasury’s privacy policy. The man has not been charged with a crime, but all affected teachers have been notified. [The Tennessean]

US – Voter Info for Sale in Oregon

The Oregon Secretary of State’s Office has made nearly $90,000 off fees during the past five years by selling voter information to political parties or campaigns and, sometimes, to private corporations who turn around and sell the data for a profit. The state charges $500 for the database, which includes full names, addresses, phone numbers, date of birth, party registration and voter history. It does not include how anyone voted. The people who buy the database are not supposed to use it for commercial purposes, said Tony Green, a spokesman for Secretary of State Kate Brown. In fact, they must sign a form agreeing not to do so. Records show that many for-profit companies have purchased the entire database during the past five years. Green said the law does not define “commercial purposes,” and the state relies on complaints before enforcement. First-time violators are fined $75. Just one complaint has been filed since 2006, and it was against Oregon Health & Science University, which is “a public corporation and not considered operating for commercial purposes,” Green said. Other states, including California and Washington, have similar restrictions on how data can be used; however, they levy very different consequences. In Washington, for example, misuse of the data is a class C felony punishable by up to five years in prison and/or a $10,000 fine. Records show Oregon has sold the database to companies all over theU.S. who are using it to make a profit despite having signed the affidavit. [Statesman Journal]

US – US Federal Election Commission Audit Finds Computer Security Issues Unaddressed

An audit report from the Office of Inspector General of the Federal Election Commission (FEC) says the agency has not taken steps to improve computer security. An intrusion in 2012 compromised a Commissioner’s user account so that the attackers could use it to access confidential information. FEC has suffered two additional intrusions since August 2013. The audit report notes, “Failure to develop a strong IT security program places FEC at high risk of continued network intrusions.” [Rollcall] [Report]

US – Kerry to Work on Privacy, Big Data at MIT

Cameron Kerry, former acting secretary and general counsel of the Department of Commerce, will join the MIT Media Lab as a visiting scholar. Kerry will work with Prof. Alex “Sandy” Pentland and the Human Dynamics research group on topics related to privacy and personal data ownership as well as on Pentland’s Big Data for Public Good research initiative, the report states. Pentland said Kerry will be “instrumental in bringing together key players, including governments, multilateral organizations and multinational corporations.” [MIT News]


WW – Time to Rethink E-mail Privacy?

The world of privacy is changing, including a recent change to the terms of service for Rogers Communications, a service managed by Yahoo. The new terms include the notice that Yahoo “identifies words, links, people and subjects from your e-mail messages and other messages archived” in order for the company to better deliver relevant ads, among others. One journalist, according to the report, thinks the changes ask him to give up too much privacy, and a Canadian-based regulatory group has joined a global effort to urge advertisers to disclose to users when ads are derived from such e-mail tracking. [Globe & Mail]

Electronic Records

UK – Finra Fines Barclays Capital Over Improper Electronic Record Keeping

The Financial Industry Regulatory Authority said it fined Barclays PLC’s capital arm $3.75 million for failing to keep electronic records properly for at least 10 years. Finra said that from at least 2002 to 2012 Barclays Capital Inc. allegedly didn’t preserve many of its required electronic books and records, including order and trade ticket data, trade confirmations, account records and other items in the proper format. Business-related electronic records must be kept in a non-rewritable, non-erasable format, according to Finra and federal securities law. Finra said these issues were widespread across all of Barclay’s businesses, so the firm was unable to determine whether all records were kept in an unaltered condition or not. In addition, Barclays failed to keep certain attachments to emails sent via systems maintained by financial information provider Bloomberg LP between May 2007 and May 2010, along with 3.3 million Bloomberg instant messages between October 2008 and May 2010, the industry self-regulatory body said. Finra said that failure violates Securities and Exchange Commission, National Association of Securities Dealers and its own rules and regulations and affected Barclay’s ability to respond to electronic communications requests. Barclays also didn’t establish and maintain a system and written procedures to ensure compliance with SEC, NASD and Finra rules, Finra said. “Ensuring the integrity, accuracy and accessibility of electronic books and records is essential to a firm’s ability to meet its compliance obligations,” said Brad Bennett, Finra’s executive vice president and chief of enforcement. [WSJ.COM]


WW – RSA Denies Accepting US $10 Million from NSA to Use Faulty PRNG

RSA has denied allegations that it was paid US $10 million by the NSA to use a flawed PRNG (pseudo-random number generating) algorithm in its BSafe crypto library. According to a Reuters story, RSA’s use of the Dual Elliptic Curve Deterministic Random Bit Generator allowed the NSA to identify its use in government systems and push for its inclusion in the National Institute of Standards and Technology’s (NIST’s) Recommendation for Random Number Generation Using Deterministic Random Bit generators. In a blog post, RSA said, “we never have entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.” [The Register] [ZDNet] [BBC] [ArsTechnica] [ArsTechnica] [RSA Post]

WW – Researchers Steal Encryption Keys by Listening to Computer’s Sounds

Researchers have demonstrated that it is possible to steal RSA decryption keys simply by listening to the sounds a computer makes while running decrypt routines. The technique has limitations. It would be necessary to send thousands of encrypted messages to a system that opens the messages automatically. Also, the targeted key could not be password protected. [ArsTechnica] [The Register] [NBC News] [Research Paper]

EU Developments

EU – EDPS Releases 2014 Inventory

The European Data Protection Supervisor (EDPS) has released its 2014 inventory, a strategic planning document highlighting key areas of focus for the year ahead. “As the second mandate of the EDPS will come to an end in early 2014, it is appropriate to highlight that privacy and data protection have now become relevant in a wide range of EU policies,” said outgoing EDPS Peter Hustinx, adding, “The recognition of privacy and data protection as fundamental rights means that their delivery in practice must remain a high priority on the EU political agenda.” Among the key areas of strategic importance for 2014 are a new legal framework for data protection and rebuilding trust in global data flows. Full Story

EU – German Parliament Elects New Federal Data Protection Commissioner

With Peter Schaar leaving the position of German Federal Data Protection Commissioner on December 17 after 10 years of service, the coalition German government needed to nominate a replacement for confirmation in the Bundestag. On Thursday, they appointed Andrea Voßhoff, a member of the conservative-leaning Christian Democratic Union who served in the Bundestag from 1998 through 2013. Generally unknown to the privacy community, Voßhoff has received a negative initial reception from some privacy advocates: German MEP Jan Philip Albrecht strenuously objected to her nomination, saying on Twitter that her confirmation would amount to an “abolition” of the office. In this exclusive for The Privacy Advisor, Jörg Hladjk, counsel at Hunton & Williams and German-qualified attorney with a German PhD in privacy, expounds upon the three main challenges Voßhoff faces as she enters her five-year term. [Privacy Advisor]

EU – Yes, Consent Is Dead and Giving It a Central Role Is Dangerous

At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?” Full Story

EU – LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don’t Negotiate on Privacy

A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.” Full Story

EU – Parliament Backs New Cloud Resolution

The European Parliament is backing a new cloud computing resolution “in response to actions the European Commission (EC) has set out under its cloud computing strategy.” The EC is engaging the European Telecommunications Standards Institute (ETSI) to help determine the new standards required for cloud services, the report states. In their resolution, MEPs welcomed ETSI’s participation, noting the standards “should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness.” The resolution also asks the commission to provide guidelines for businesses to “ensure full compliance with the EU’s fundamental rights and data protection obligations.” []

EU – CNIL Issues Cookie Guidance, Calls for Debate on “Surveillance Society”

The CNIL has released FAQs, along with technical tools, “providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements. “The CNIL’s guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers,” and “only certain cookies are exempt from the consent requirement under French data protection law,” the report states. Meanwhile, the CNIL’s Isabelle Falque-Pierrotin is calling for a national debate on the “surveillance society.” [Hunton & Williams’ Privacy and Information Security Law Blog]

EU – DPC Makes Headlines; Official Says Regulation Won’t Hurt Business

At the IAPP’s Data Protection Congress in Brussels, experts discussed the forthcoming European privacy requirements, which are “almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale. European Commission Director of Fundamental Rights Paul Nemitz dismissed concerns that the regulation will hurt business, saying privacy will instead become a competitive advantage. quotes European Commissioner Neelie Kroes speech, delivered at the event by Kroes’ Head of Cabinet Constantijn van Oranje-Nassau, in favor of such reforms as companies being able to process pseudonymized data without consent, and U.S. Federal Trade Commissioner Julie Brill is defending the Safe Harbor program during the DPC’s opening session. [DataInformed] [Steelie Neelie: EU biz can use YOUR private data WITHOUT PERMISSION]

EU – Supreme Court Acquits Google Execs in Privacy Case

According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.” Full Story

EU – Ten Years and Two Terms Later, a Look at Peter Hustinx’s Legacy

European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004. [The Privacy Advisor].

Facts & Stats

WW – Site Picks “Privacy” as Word of the Year, Tracks Users

Ashkan Soltani and Andrea Peterson report that has chosen “privacy” as its word of the year, citing, among other reasons for the pick, this year’s NSA revelations. “But it has a ring of irony due to the site’s particularly robust consumer-tracking efforts,” they write. The site places 90 cookies on visiting users’ computers and has the most “beacons”—software that can track what a user does on a given webpage—of any site studied in The Wall Street Journal’s 2010 investigation, the report states. [The Washington Post]


WW – Browser Extension Circumvents Internet Filters

A browser extension for Google Chrome help users get around the pornography-blocking filters that UK Internet service providers (ISPs) have been ordered to put in place. Last week, ISP BT announced that new customers will have the filters implemented by default, and that over the course of the next year, existing customers will be contacted and notified and given the option of activating the filters. The plan aims at protecting children from inappropriate content. However, the filters have already proven faulty, as they are allowing some pornography through while blocking websites that contain information about sex education and organizations that help abused women. [WIRED]


US – Senators Call for Consumer Financial Data Security Hearing in Wake of Target Breach

Three US senators have asked the Committee on Banking, Housing, and Urban Affairs to hold a hearing on the Target breach “as soon as reasonably possible.” The senators want to address the questions of whether or not marketplace entities “are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cyber security standards.” The senators want to discuss the possibility of accelerated adoption of EMV chip-based cards and they want to know if financial regulators “have the necessary tools, information, and authority to ensure that financial companies and service providers are doing enough to protect consumer data.” [SC Magazine] [Bank Info Security] [Senators’ Letter to the Committee]

US – Weak Credit Card Security Makes U.S. Prime Target for Data Breaches

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target’s stores will get worse before they get better. That’s in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes. “We are using 20th century cards against 21st century hackers,” says Mallory Duncan, general counsel at the National Retail Federation. “The thieves have moved on but the cards have not.” In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it’s used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don’t bother. “The U.S. is the top victim location for card counterfeit attacks like this,” says Jason Oxman, chief executive of the Electronic Transactions Association. [Associated Press]


CA – Access Denied: How Perceived Info Blocking Has Dogged Tories in Newfoundland

Newfoundland Premier Kathy Dunderdale was defiant during a recent exchange in the legislature when she touted Newfoundland and Labrador as one of Canada’s most open governments. It’s a claim she has made repeatedly over the last 18 months after her Progressive Conservatives passed access to information changes that national accountability watchdogs called shockingly regressive. Amendments to the Access to Information and Protection of Privacy Act in June 2012 blocked release of ministerial briefing notes, increased protections for cabinet records, hiked fees and allowed ministers to reject requests as “frivolous” or “vexatious.” Accusations of secrecy have dogged the Tories ever since. Opposition Liberal Leader Dwight Ball says his first act if he wins the next election in 2015 would be to repeal those changes and launch a full review of access to government documents. He challenged Dunderdale in the house of assembly on Nov. 18 to overturn “the most secretive bill that this house has ever seen.” Dunderdale was unfazed. She cited a 2012 study on access to information by the Halifax-based Centre for Law and Democracy that found “we are open and transparent, far ahead of other provinces in this country … and the federal government,” she told the legislature. [The Canadian Press]

US – Verizon to Issue Transparency Report

Starting in 2014, Verizon will publish semi-annual transparency reports about government requests for information. Verizon will be the first US telecommunications company to publish a transparency report, which are already published by technology companies such as Google, Microsoft, and Facebook. Verizon was named in the first of the NSA documents leaked earlier this year, which revealed that the intelligence agency had been gathering large swaths of information from the company. [Washington Post] [ZDNet]

WW – Google’s Transparency Report Shows Sharp Increase in Takedown and Data Requests

Google’s most recent transparency report shows that the number of government takedown requests is increasing steadily. In the first half of 2013, Google received more than 3,800 requests from governments around the world to remove content they deemed defamatory, pornographic, or even just embarrassing. Google’s report indicates that it complied with fewer than half of the requests. According to the report, the number of government requests for user data is also increasing rapidly. The US government submitted more than 10,000 requests for information about 21,683 Google users. The data do not include requests for data made under Foreign Intelligence Surveillance Act programs. [Washington Post] [CNET]

EU – Spain’s DPA Fines Google $1.2M

Spain’s data protection authority (DPA) has fined Google $1.2 million (900,000 euros) for the illegal collection and use of consumers’ personal data. The company is charged with “three serious violations” by the DPA for not providing details “about what data it collects, what it uses it for and without obtaining a valid consent.” Google was fined 300,000 euros for each of the three violations and is required take the “necessary measures without any delay to comply with the legal requirements.” In a statement, Google said, “We’ve engaged fully with the Spanish (authority) throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we’ll continue to do so,” adding “We’ll be reading their report closely to determine next steps.” [Bloomberg]

Health / Medical

US – Electronic Death Records Effective Influenza Surveillance Tool

The use of electronic death certificates may be an effective means of monitoring influenza outbreaks, according to new data. Unlike traditional methods of surveillance, an electronic death reporting system (EDRS) does not require medical records to track the severity of influenza seasons. Therefore, it requires fewer resources and would be less taxing on hospitals and public health personnel, researchers reported in Emerging Infectious Diseases. [Source]

CA – Pharmacist’s Facebook Request Broke Alberta’s Health Rules

A Calgary pharmacist shouldn’t have dug into a woman’s health information for “matchmaking” purposes, according to Alberta’s privacy commissioner. A casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook “friend” a woman who had filed a prescription, said Jill Clayton. [CBC News]

Horror Stories

US – Target: PINs Were Stolen in Breach

Target now admits that PINs were stolen during a security breach of its in-store payment systems that affected 40 million accounts, but says that the data are encrypted. The PINs are reportedly encrypted at the keypads with Triple DES encryption; Target does not store or even have access to the key necessary to decrypt the data. [DarkReading] [ComputerWorld] [CNET] [CNN] [GovInfoSecurity] See also: [Target Payment Processor Denies it Was Breached] and [Is This Man Selling The Stolen Target Data?]

US – Target Breach Incites Action; Snapchat Is Latest High-Profile Breach Victim

Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. [The Privacy Advisor] See also: [Following hack, RegistratioNation discovers some customer data was inadvertently being stored on its server] [FL: Barry University notifies patients that records with personal, financial, and medical information may have been compromised] and [Woman finds her private information from rental application posted online]

WW – Snapchat Data Stolen; App Will Be Updated

A database of Snapchat 4.6 million usernames and some associated telephone numbers with the last two digits blurred has been posted online. The site where the stolen data were posted has been taken down. The people behind the attack say they exploited recent changes made to Snapchat to access the information. A message on Twitter from Snapchat CEO Evan Spiegel says that the company is “working with law enforcement [and] will update when we can.” [CNN] [ZDNet] [Washington Post] [The Register] [CNET] Update: Snapchat has announced that it will release an updated version of the app that will allow users “to opt out of appearing in Find Friends after they have verified their phone number.” The company said that it is also implementing other changes “to address future attempts to abuse our service.” [Source]

WW – Snapchat API and Exploits Published

Hackers have published Snapchat’s API (application programming interface) and exploit code for a pair of vulnerabilities that could be used to match phone numbers with usernames and create phony Snapchat accounts. The hackers say they released the information because Snapchat developers ignored their notifications about the vulnerabilities. [ArsTechnica] [Forbes] [ZDNet]

NZ – Huge Increase in IRD Privacy Breaches

Confirmed privacy breaches at Inland Revenue have jumped by almost 400% in the past year despite a crackdown after a spate of failings. In 2012 there were 32 separate privacy breaches but ONE News can reveal that has shot up to 151 incidents this year. The figures, obtained under the Official Information Act, show more New Zealanders’ confidential details are ending up in the wrong hands. And while the total number of people affected in the breaches has dropped from 6379 to 1158, hundreds more people are victims of serious breaches. In 2012, 638 people were caught up in three serious breaches while in 2013, 946 people were affected by 43 serious breaches where Inland Revenue has had to put security measures in place to protect people from identity theft. Labour’s revenue spokesperson David Clark said it’s a huge increase.”At this rate of increase pretty soon every New Zealander’s private banking data will be available to anyone that wants it and that’s a frightening prospect,” he said. [ONE News]

Identity Issues

US – Metadata Not Anonymous at All, Stanford Researchers Show

If you’re not concerned about government surveillance of your phone because the National Security Agency (NSA) only collects metadata, think again. A study from Stanford University shows that connecting “anonymous” metadata to compromising personal information is trivially easy. Documents leaked in June by former NSA contractor Edward Snowden revealed that the organization was collecting metadata about calls placed to and from Verizon telephone lines. Although this revelation was potentially troubling, metadata collection is, in theory, not cause for concern. The metadata about your phone calls does not reveal your name or identity, or the content of your conversations, but it does track the numbers you call, how long the calls last, and which other companies have your phone number in their directories.  Although the specific documents leaked in June concerned Verizon landlines, the NSA has since admitted that it collects metadata about mobile telephone calls and text messages as well. Sen. Dianne Feinstein (D-Calif.), who heads the Senate Intelligence Committee, has said that collecting metadata is “not surveillance.” Because the information, by itself, cannot identify individuals, Feinstein and the NSA hold that it is practically harmless for the government to collect it. A research team operating out of Stanford University disagrees, and hopes to prove its point with a new Android app called MetaPhone. By accessing your phone number and your Facebook page, this app does what any NSA program could do: It acquires your metadata, then correlates it with your social-media information to see how much it can learn about you.  [Tom’s Guide US]

BA – Bahamas: National ID Card Being Considered By Government

Immigration Minister Fred Mitchell said the Government is considering introducing a National Identification Card as well as charging persons who knowingly hire illegal immigrants in an effort to deal with the country’s long standing illegal migration problem. Mr Mitchell said in 2014 the issue of immigration will be “front and centre” on the government’s agenda. [The Tribune]

Internet / WWW

AU – Top Websites Pose Privacy Threat

Some of Australia’s most popular websites are also those that pose the greatest privacy threat, a new index created by University of Canberra cyber security experts has found. In an Australian first, the University’s Centre for Internet Safety has produced the 2013 Australian Online Privacy Index to rate the websites most visited by Australians. While Australian-based sites rank among the best, the majority are not compliant with changes to the Privacy Act which comes into force in March 2014. Co-director Alastair MacGibbon explained that to develop the index, the researchers looked at how websites collect, use, disclose, transfer and store customers’ personally identifying information.“This report demonstrates the majority of organisations are not ready for the new regulatory changes,” he said. The new index will allow consumers and regulators to assess the privacy implications of interacting with popular websites. It will also allow businesses to compare themselves with peers in their own sector, as well as to know how their sector fares against others. [The University of Canberra]

Law Enforcement

US – Commercial UAV Use in U.S. Takes Next Step Forward

While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the U.S. Currently, only law enforcement operations and certain educational institutions, or those who’ve expressly received clearance, are allowed to use what have commonly come to be referred to as “drones.” However, CNN reports, the FAA approved six research sites in late December at which it will test the best ways in which to safely, and with consideration for privacy, bring UAVs into “the heavily used U.S. airspace.” In this roundup for The Privacy Advisor, we look at the latest news in the use of UAVs from the holiday season. [The Privacy Advisor] See also: [Unbelievably lenient sentence for cop who fingered suspects’ anuses]

CA – OPP first to Target Suspended Drivers Through Licence Plate Program

Driving with a suspended licence is about to get much riskier for drivers as the Ontario Provincial Police (OPP) become the first police service in Ontario and one of the first in Canada to target suspended drivers with their Licence Plate Recognition Program (ALPR). “Thanks to our continued partnership with the Ministry of Transportation Ontario (MTO) and the Ontario Information and Privacy Commissioner (IPC), our roads will be much safer now that we have the resources to remove the threat that suspended drivers pose to all road users. The additional 27 vehicles will allow us to scan thousands more plates every day over a broader geographic range in the province,” said OPP Deputy Commissioner Bill Blair, Provincial Commander of Traffic Safety and Operational Support. The OPP is also expanding its ALPR program to include an additional 27 ALPR equipped vehicles to its existing fleet of four which, according to the OPP, will make it more difficult for suspended drivers, drivers of stolen vehicles and other vehicles with plates in poor standing to drive undetected on Ontario roads and highways. “Our partnerships with the OPP and all our road safety partners have allowed us to lead the way with some of the most advanced road safety programs, tough laws and strong enforcement. This is why Ontario is a North American leader in road safety,” stated Glen Murray, Minister of Transportation and Minister of Infrastructure. “Ontario motorists expect to be protected from unsafe drivers, but also not to be tracked as they go about their daily lives. We are pleased to report that the OPP used a Privacy by Design approach in developing its Automatic License Plate Recognition system, and that when a scanned license plate does not match the list of unsafe drivers, it will be deleted from the system within minutes,” added Ann Cavoukian, Ph.D. Information and Privacy Commissioner, Ontario, Canada. Approximately 250,000 Highway Traffic Act licence suspensions are issued annually in Ontario. OPP ALPR vehicles now have access to an MTO database that contains all Ontario licence plates of vehicles whose registered owners’ driver’s licences are suspended.  [Ottawa Valley] [Ontario getting 27 vehicles equipped with Automatic Licence Plate Recognition program technology]


WW – Some Older Webcams Activation Indicator Lights Can be Disabled

Researchers at Johns Hopkins University have found that it is possible to disable activation indicator lights by modifying the firmware on some webcams on older Mac computers. The issue affects iSight webcams in Macs and MacBooks released prior to 2008. [Washington Post] [ComputerWorld] [CNET] [ArsTechnica] [iSpy: Prof finds some Apple webcams can be activated without warning light]

WW – A New Twist in International Relations: The Corporate Keep-My-Data-Out-of-the-U.S. Clause

By now, we’ve heard from tech companies such as Facebook, Google and Cisco Systems that the National Security Agency’s spying poses a threat to their international business and, in Cisco’s case, is already hurting it. So what does that threat look like, exactly, at ground level? Some companies are apparently so concerned about the NSA snooping on their data that they’re requiring – in writing – that their technology suppliers store their data outside the U.S. [Bloomberg]

Online Privacy

WW – Instagram Rolls Out Nuanced Photo-Sharing

Instagram Direct is a new messaging service that allows users to document granular parts of their day to clusters of friends. As our “notions of privacy are constantly evolving and, in many cases, being eroded altogether,” we are “learning how to cope by adapting ourselves and our sharing behaviors by deciding which version of ourselves to present based on the number of people who will be able to see it,” the report states, suggesting the new service seems to respond to that adaptation. [The New York Times] [Instagram Direct and the Fracturing of Privacy]

WW – Bilton: “Anyone Who Can Watch You Will”

Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [New York Times]

US – Are Your Books Reading You?

New services track our habits—including an exercise game that monitors our fitness and e-books that “read” us. For example, the report states, start-ups “get reading data from subscribers who, for a flat monthly fee, buy access to an array of titles, which they can read on a variety of devices. The idea is to do for books what Netflix did for movies and Spotify for music.” As one author put it, “What writer would pass up the opportunity to peer into the reader’s mind?” Meanwhile, Gregory Schmidt writes a column on his use of Nintendo’s Wii Fit Meter. The device “ clips on a belt or waistband and records your activity,” which can then be downloaded to the Wii U controller. [The New York Times]

Other Jurisdictions

WW – United Nations Signs Off on ‘Right to Privacy in the Digital Age’

The United Nations (UN) has unanimously voted to adopt a resolution calling for online privacy to be recognised as a human right. The gesture is politically notable because it shows the world is willing to be seen to do something in the wake of The Year Of Snowden. The resolution extends the general human right of privacy to the online world and clearly takes aim at the USA for its recently-revealed activities in clause 4, which “Calls upon all States” to perform the following actions.

a)      To respect and protect the right to privacy, including in the context of digital communication;

b)      To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;

c)      (c)To review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;

d)      To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and collection of personal data;

Sadly, UN resolutions of this sort aren’t binding and can be flouted without consequence.

On the upside, the UN has explicitly recognised “that the same rights that people have offline must also be protected online, including the right to privacy” and noted that “the global and open nature of the Internet and the rapid advancement in information and communication technologies as a driving force in accelerating progress towards development in its various forms”. [The Register] [UK: Internet privacy as important as human rights, says UN’s Navi Pillay]

AU – Overview of the Australia Privacy Principles (APPs)

A guide to the new privacy landscape for the Commonwealth Government. Bottom Line: the amendments tighten up the rules around how agencies can collect, use and disclose personal information. For the first time, new Australian Privacy Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to “sensitive information”. The Privacy Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies. The main changes to the Privacy Act result from the replacement of the current Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs). Importantly, the APPs align more closely with the current National Privacy Principles, which apply to the private sector, than the IPPs. [See Full Summary and discussion at: Mondaq News]

Privacy (US)

US – Judge Dismisses Challenge to Suspicionless Border Searches of Electronics

A federal judge in New York dismissed a suit brought by the ACLU in 2010 that challenged the Customs and Border Patrol’s authority to conduct searches of electronic devices at border crossings without reasonable suspicion. Judge Edward Korman said the likelihood of such a search was small and that there are procedures in place for privileged content, such as journalists’ sources and attorneys’ client communications. The second Bush administration established suspicionless electronics searches in 2008, adding them to the existing border search exemption that allows routine searches and seizures without a warrant or probable cause. The ACLU is appealing the ruling. [ComputerWorld] [Ars Technica] [NextGov] [WIRED] [ComputerWorld] [Decision] [Notice of Appeal]

US – FTC’s Accretive Settlement Means 20 Years of Audits

Medical billing and revenue management services firm Accretive Health has settled charges with the Federal Trade Commission (FTC) that its inadequate data security exposed sensitive consumer information. The FTC said the company, which had access to such sensitive data as birthdays, names, Social Security numbers and billing information, failed to provide “reasonable and appropriate” security measures to protect the data and failed to ensure employees destroyed data that was no longer needed. Accretive must now establish a comprehensive program to be audited every two years for the next 20 years. Meanwhile, FTC Commissioner Julie Brill has recused herself from the case against LabMD. [FTC Press Release]

US – NY Parents, Districts Worry About Database Privacy

Even as their students’ grades, attendance and other personal information are about to be fed into a new statewide database, district administrators and parents around New York say they remain unconvinced the information won’t creep out over time or hurt students later when they apply for college or work. There are also questions about why the database pulling together hundreds of pieces of information in one place is needed, and a key state lawmaker has called for delaying the process set to start after Jan. 1. New York has signed up with Atlanta-based inBloom, which has struggled to get other states to participate, to create a system that stores student information on servers in the so-called cloud, accessed through the Internet. It’s seen as a tool to track student progress, personalize instruction and identify students who may be in danger of not graduating. Parents can also check on how their children are doing. But weeks of assurances by the state Education Department still haven’t satisfied critics’ privacy concerns. About three dozen of the state’s 695 districts say they won’t use the portal, forfeiting their shares of more than $700 million in federal Race to the Top funding won in 2010 and tied by the state to the database. State lawyers are due to respond this week to a legal challenge by 12 New York City parents seeking to block the state from sharing student information for the database, which is expected to go live in March. [Associated Press]

US – Judge Finds Accounting Firm Stole From Cloud in Landmark Ruling

In a landmark ruling that could impact Internet data rights nationwide, a judge found a Midtown-based accounting firm liable for stealing information from the online storage system known as “the cloud.”  Manhattan Federal Judge Robert Sweet ruled that Weiser Capital Management took wealth manager Debra Schatzki’s valuable business records off the cloud without her permission and locked her out of her own database — a move that could cost the company millions of dollars when damages are decided at a civil trial next month. The valuable records included years of personal financial information for 12,300 of Schatzki’s clients, including high-net-worth real estate and architecture execs. Her lawyer believes the ruling last month may be the first time a judge has held someone liable for taking information from the cloud, and could have a sweeping impact because more and more people are using cloud tools such as Google Drive and Dropbox to store and share files. “By ruling as he did, Judge Sweet is protecting all businesses and individuals who elect to keep confidential materials on the cloud,” said Schatzki’s lawyer James Mahon. [NEW YORK DAILY NEWS] See also: [Ars Technica’s Four Tech Legal Cases to Watch in 2014]

US – Judge: Hulu Privacy Lawsuit Will Continue

A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. [Reuters]

US – Coalition of Internet Firms Worried About NIST Framework

Some major Internet companies comprising the Internet Commerce Coalition say the National Institute of Standards and Technology’s proposed privacy framework would be “potentially burdensome,” therefore discouraging some organizations from adopting it. The final draft of the framework is to be released in February, and privacy is built into its requirements. The coalition says it favors a methodology developed by Hogan Lovells’ Harriet Pearson under which firms would be required to follow a more general scheme rather than the privacy appendix suggested in the framework now. [FierceGovernmentIT]

Privacy Enhancing Technologies (PETs)

AU – Privacy Issues in Designing Mobile Apps

The Office of the Australian Information Commissioner (OAIC) recently released a guide under the title “Mobile Privacy: A better practice guide for mobile app developers” (the Guide). The intention of the Guide is to assist app developers with building “privacy-friendly” apps to ensure better privacy practices and also ensure compliance with Australian privacy laws, both under the existing National Privacy Principles, and the incoming Australian Privacy Principles, which will commence from 12 March 2014. The Guide encourages developers to adopt a “privacy by design” approach that aims at building privacy and data protection up front, into the design specifications and architecture of the technology used as part of the app. Such an approach will ensure that privacy considerations are incorporated into each stage of app development. The Guide also sets out a number of “essentials” that an app developer should consider when designing their app. [] See also: [US FTC Says App Developers Must Shine More Light on How They Use Data]


US – DOE Inspector General’s Report Notes Lack of Patching as Contributing Factor to Breach

The US Department of Energy (DOE) system breached earlier this year was not kept current with patches. According to a report from the Office of Inspector General of DOE, “Critical security vulnerabilities in certain software supporting the management information system (MIS) application had not been patched or otherwise hardened for a number of years.” Database administrators may be reluctant to apply patches because they can have the added effect of introducing “behavioral changes.” [DarkReading] Background: | | ]

US – NSA Tailored Access Operations Unit Provides Specialized Hacking Services

According to a story published in German magazine Der Spiegel, a special NSA unit has a “catalog” of hacking tools that can be used to infiltrate systems and individual computers, steal data, plant backdoors, impersonate GSM base stations to intercept mobile phone calls, and perform a multitude of other high-end cyberespionage tasks. The unit, known as the Office of Tailored Access Operations (TAO), also reportedly hijacks Microsoft’s crash reporting system to help gain access to targeted machines. [Spiegel] [WIRED] [CS Monitor] [DarkReading] [ComputerWorld] SEE ALSO: [U.S., Russia Hold Cybersecurity Talks] See also: [Internet privacy to be key IT security topic of 2014]

WW – Researchers Create Malware Able to Jump Non-Connected Devices

Newly developed malware is capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.” [Ars Technica]

CA – Feds Sought to Ban USB Drives to Curb Risk of Privacy Breaches

Fearing it may lose sensitive information on First Nations peoples, the Department of Aboriginal Affairs decided earlier this year to ban the use of USB keys to transport data — then realized instituting the new rule without an alternate plan was doomed to fail. That conclusion came after a security blitz in March that found “vulnerabilities that needed to be addressed” within the department, according to a briefing note to the deputy minister. That briefing note went on to say that a ban on the use of portable data devices “is known,” but enshrining it in policy was no simple task. “Issuing direction before it can be enforced and before the tools are available to support compliance, encourages people to disregard it. This increases the risk of intentional breaches,” the note says. [Calgary Herald]


US – NSA Developed Backdoor for iPhones

A news story in German magazine Der Spiegel said that NSA spyware known as DROPOUTJEEP can give anyone using it access to most everything on infected iPhones. The tool harvests text messages and voicemail and is capable of switching on the device’s microphone and camera remotely. Apple has denied that it worked with the NSA to put the backdoor in iPhones. In a statement to the Wall Street Journal, Apple officials said. “Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products.” [NBC News] [SC Magazine] [ZDNet] [CNET] [ComputerWorld] SEE ALSO: [Backdoor in Certain Combination Wireless Router/DSL Modems] see also: [Companies Investigating Reports of NSA Backdoors in Their Products]

US – NSA Intercepts Computer Deliveries, Says Report

A German magazine lifted the lid on the operations of the NSA’s hacking unit, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets. Der Spiegel’s revelations relate to a division of the NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets. Der Spiegel said TAO had a catalogue of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go. The NSA doesn’t just rely on James Bond-style spy gear, the magazine said. Some of the attacks described by Der Spiegel exploit weaknesses in the architecture of the Internet to deliver malicious software to specific computers. Others take advantage of weaknesses in hardware or software distributed by some of the world’s leading information technology companies, including Cisco Systems, Inc. and China’s Huawei Technologies Ltd., the magazine reported. Der Spiegel cited a 2008 mail order catalogue-style list of vulnerabilities that NSA spies could exploit from companies such as Irvine, California-based Western Digital Corp. or Round Rock, Texas-based Dell Inc. The magazine said that suggested the agency was “compromising the technology and products of American companies.” Old-fashioned methods get a mention too. Der Spiegel said that if the NSA tracked a target ordering a new computer or other electronic accessories, TAO could tap its allies in the FBI and the CIA, intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way. Intercepting computer equipment in such a way is among the NSA’s “most productive operations,” and has helped harvest intelligence from around the world, one document cited by Der Spiegel stated. One of the most striking reported revelations concerned the NSA’s alleged ability to spy on Microsoft Corp.’s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies. The reporting system is intended to help Microsoft engineers improve their products and fix bugs, but Der Spiegel said the NSA was also sifting through the reports to help spies break into machines running Windows. [Der Spiegel]

US – If NSA Can’t Store Phone Data, Who Will?

Following the revelation that the NSA has been storing vast quantities of phone call metadata and a federal judge’s opinion that the practice is “almost certainly” unconstitutional, the government is considering alternatives to the agency holding the data. Some have suggested requiring the phone companies themselves to retain the data and requiring that the NSA meet strict guidelines when requesting to look at them, but that involves expense and puts the telecoms in the position of being the target of data breaches. Furthermore, unless the data retention arrangement was clearly specified to be for counterterrorism purposes only, the companies could find themselves receiving data requests from federal agents as well as state and local governments. A proposal that would establish a third-party entity to retain the data poses similar problems; as one unnamed senior Senate aide observed, “You’d have to demonstrate why that organization having those records provides any less privacy concern than giving it to the NSA, which operates under very strict privacy guidelines.” [Washington Post] SEE ALSO: [How the Grinch steals Christmas — he tracks your kid online] and [‘Tis the season: Retailers collecting customer data to boost sales]

US – Opinion: Nation Needs Reforms

In an op-ed piece, members of the President’s Review Group on Intelligence and Communications Technologies, appointed in August, write that “the nation needs a package of reforms that will allow the intelligence community to continue to protect Americans, as well as our friends and allies, while at the same time affirming enduring values, involving both privacy and liberty.” The group has made 46 recommendations to President Barack Obama. Another NYT article discusses the repercussions if Obama adopts the advisory group’s most far-reaching recommendations, which may “go a long way toward determining the legacy of his presidency.” Meanwhile, author David Eggers says U.S. writers must take a stand on U.S. surveillance. [New York Times]

US – NSA Review Panel Urges Major Oversight, Some Restrictions

A review panel of outside intelligence and legal experts on Wednesday released its report to President Barack Obama recommending increased oversight and some restrictions on the National Security Agency (NSA) surveillance programs. Among the 46 recommendations, the panel urged Obama to restructure the NSA’s metadata collection program by having telecommunications companies or a private consortium hold the data and only share it after the agency provides an approved court order “for queries and data mining.” The panel also recommended the agency halt its practice of creating “backdoors” into hardware and software as a secret way to manipulate devices and online systems. Sen. Ron Wyden (D-OR) said, “This has been a big week for the cause of intelligence reform,” and the Center for Democracy and Technology’s Greg Nojeim called the report “remarkably strong.” Obama reportedly said he was “open to many” of the recommendations. [The New York Times] [Analyzing the NSA Review Panel Report]

US – Federal Judge Rules NSA Program Likely Unconstitutional

A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Politico]

US – Judge Rules NSA’s Data Collection is Legal

A federal judge in New York has ruled that the NSA’s wholesale collection of phone call metadata is legal. US District Judge William Pauley said the data collection is allowed under Section 215 of the Patriot Act, because telecommunications companies collect the data. The ruling comes in a lawsuit brought by the American Civil Liberties Union (ACLU), which challenged the NSA’s data collection program. In contrast, a ruling from another district judge earlier this month described the program as “likely unconstitutional.” [CNET] [ArsTechnica] [The Register] [RULING] See also: [The most Kafkaesque paragraph from today’s NSA ruling]

US – NSA Data Gathering Cases Raise Question of Legal Precedent’s Validity in the Digital Age

The two diametrically opposed opinions on the legality of the NSA’s telephony metadata collection raise the question of whether a 34-year-old US Supreme Court ruling applies in the case. In 1979’s Smith v. Maryland, US Supreme Court found that people do not have a “reasonable expectation of privacy” for information that they have voluntarily disclosed to a third party. Last week, US District Judge William Pauley ruled that the precedent does apply and that the NSA’s data collection program is legal. However, several weeks ago, US District Judge Richard Leon wrote, “When do present-day circumstances … become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith does not apply? The answer … is now.” [The Atlantic]

US – Tech Giants Meet with Obama, Talk NSA

A high-level meeting took place between President Barack Obama and chief executives from 15 of the country’s largest technology companies to discuss, in part, National Security Agency (NSA) surveillance programs. In a post-meeting statement, the executives said they urged Obama “to move aggressively on reform…” They also raised concerns that foreign countries, such as Brazil, may prevent user data from flowing to the U.S., which could hurt the executives’ businesses as well as the U.S.’s start-up economy. Though the White House made no commitments, it reportedly expressed sympathy with the web companies’ call for more transparency about government requests for user data, and it told the executives that government action to reform NSA surveillance would happen in the new year, the report states. Meanwhile, Bloomberg reports Monday’s ruling on the NSA could move to the Supreme Court. [The New York Times]

Telecom / TV

UK – Kate Middleton & Prince Harry’s Phones Hacked, Court Hears

Rupert Murdoch’s ‘News of the World’ intercepted Kate Middleton and Prince Harry’s voicemails, prosecutors alleged in a London court. Kate Middleton and Prince Harry had their phones hacked by Rupert Murdoch’s biggest selling newspaper, a court in London heard. It is the first time the Murdoch media empire has been accused of illegally accessing the phone of a member of the royal family: previous allegations have centered on the hacking of phones used by royal aides. The now-shuttered Sunday tabloid, the News of the World, is accused of accessing Middleton’s voicemails to gain embarrassing personal details about her and Prince William. [The Daily Beast]

US Government Programs

US – 2014 National Defense Authorization Act Attempts to Address Cybersecurity Issues

The newly-passed US 2014 National Defense Authorization Act increases funding for CyberCom (US military’s Cyber Command) but the organization still lacks clarity about the rules of cyber engagement and is struggling with finding enough talented people. The bill also requires federal agencies to develop “intelligence, law enforcement, and financial sanctions” mechanisms to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.” Legislators are particularly concerned about zero-day vulnerabilities being sold on the black market. The bill also requires the administration to develop “principles for controlling the proliferation of cyberweapons that can lead to expanded cooperation and engagement with international partners.” The bill does not, however, define “cyberweapon.” [NextGov] [Politico] [Politico]

US – Can Plaintiffs’ Lawyers Fill the DPA Role?

Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, CIPP/US, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attorneys’ fees for plaintiffs’ counsel and very little for individual class members.” [Source]

US Legislation

US – What Will 2014 Hold for the NSA and Snowden?

The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup for The Privacy Advisor, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014. [Full Story] See also: [Snowden’s Christmas message: Privacy counts] [Snowden in open letter: NSA’s indiscriminate spying is ‘collapsing’] [2013 Privacy Law Review] [The Year’s Top 10 Stories in The Privacy Advisor] [The Year’s Top 10 Privacy Perspectives Posts] and [Five Interviews Shed Light On What Is Going On Inside NSA] [2013 a big year for privacy? You ain’t seen nothing yet!] [The NSA and the Corrosion of Silicon Valley] [2013 is the year that proved your ‘paranoid’ friend right] and [The Dumbest Privacy Cases Of 2014 and Is Privacy Law Stupid?]

US – U.S. Court Strikes Down Drug Screening for Welfare Recipients

U.S. District Court Judge Mary Scriven has deemed unconstitutional a Florida law requiring welfare recipients to submit to drug screening. The law went into effect in July of 2011, but in October the 11th Circuit Court issued a temporary injunction. While the state fought the injunction, this latest ruling agreed with the 11th Circuit that “There is nothing so special or immediate about the government’s interest in ensuring that TANF recipients are drug free so as to warrant suspension of the Fourth Amendment.” Gov. Rick Scott has vowed to appeal the decision. [The Miami Herald]

WW – Expect APEC Privacy “Stocktake” in 2014

Australia Privacy Commissioner Timothy Pilgrim has said officials charged with developing a privacy policy for the Asia-Pacific Economic Cooperation (APEC) are planning a “stocktake” of the APEC Privacy Framework. Pilgrim also said APEC’s Data Privacy Subgroup will work with the EU to map the APEC’s Cross Border Privacy Rules system with the EU binding corporate rules system. “The idea there is to see if they can identify any gaps for the purposes of possible future interoperability between the systems,” Pilgrim said, adding, “The next step is to sit down and identify where are the similarities and where are the gaps if we want to try to move to interoperability.” [Bloomberg BNA]

US – Judge: Hulu Privacy Lawsuit Will Continue

A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act, Reuters reports. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. Full Story

US – TN Sen. Proposes Cellphone Privacy Bill

Tennessee State Sen. Mae Beavers (R–District 17) has proposed a bill that would require police to acquire a warrant before collecting cell phone data including the number dialed, from where and at what time. Tthe bill is similar to a drone surveillance law passed recently. “If you don’t get a search warrant, you can’t use it as evidence. So hopefully this will sail right through as a privacy issue to protect the innocent,” said Beavers. [WREG]

US – Kids Online Privacy Workgroup Submits Final Report

After six month of discussions, Maryland Attorney General Douglas Gansler submitted the final report of the Workgroup on Children’s Online Privacy Protection offering suggestions for better protecting children’s personal information online. The report proposes requiring the encryption of sensitive information collected from children and updating state statutory definitions of personal information, among other recommendations. The Maryland House Economic Matters Committee and the Senate Finance Committee will review the report. [Legal Newsline]

US – Sen. Proposes Employee Credit Privacy Bill

Sen. Elizabeth Warren (D-MA) has introduced the Equal Employment for All Act, which would prohibit employers from requiring job applicants to disclose their credit history as part of the application process, repots International Business Times. Warren says the practice stacks the deck against poorer workers and can create a vicious cycle. Norm Magnuson, vice president of public affairs for the Consumer Data Industry Association says the organization supports the use of credit reports in qualifying potential employees, adding that in some cases the reports could show a pattern of irresponsible behavior.

US – How CalOPPA Changes Affect the App Industry

This article from Wired outlines the impact recently passed amendments to the California Online Privacy Protection Act will have on the app industry. The provision stating that publishers must “disclose whether third parties may collect Personally Identifiable Information over time from different websites” poses particular concern to app developers because of their methods of tracking users. The report also states, “Browser and app developers need to decide what ‘Do-Not-Track’ signals their products should offer and how to communicate the functionality to consumers and operators of commercial websites or online services.”

US – Congresswoman Pushes for Health Exchange Notification Law

Rep. Diane Black (R-TN) has introduced legislation to require the government to notify individuals if their personal information is breached through the Affordable Care Act’s insurance exchanges. H.R.3731 is part of a larger partisan campaign maintaining that “the exchanges are putting personal data at risk.” [National Journal]

US – Ohio Passes Student Data Privacy Bill

The Ohio House of Representatives has passed HB 181, legislation that prohibits schools from sharing students’ personal information with any federal, state or local entity without school board authorization, except in certain circumstances. The law also requires the state department of education to publish data inventory policies and procedures yearly as well as provide data collection information to the General Assembly. [The Perry Tribune]

US – Two Education Privacy Bills Pass Committee in Wyoming

The Select Committee on Education Accountability has approved two bills sponsored by Sen. Bill Landen (R-Casper) involving the state’s Department of Education. The first would create a provision in the current law barring it from committing the state to “federal oversight or regulation” and also giving it the “authority to develop an education program without excessive oversight.” The second requires the department’s directors and those of the Department of Enterprise Services to develop a data security plan and contains language used in other state’s student privacy laws. [Star-Tribune]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014. In this exclusive for Privacy Tracker, the Hogan Lovells privacy team looks at what the GAO examined and, in the short term, how Congress might respond to the GAO’s findings and, when they are published, Rockefeller’s. Are stronger consumer privacy protections on the way?  Full Story

US – Federal Judge Rules NSA Program Likely Unconstitutional

A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Full Story] [Politico]

US – Unpacking the Klayman v. Obama Decision

On December 16, the District Court in the District of Columbia issued an opinion finding that the National Security Agency’s (NSA) surveillance program was likely unconstitutional. In Klayman v. Obama, five plaintiffs sued a variety of government officials and private companies seeking preliminary injunctive relief based upon the assertion that the NSA program was unconstitutional and violated other statutes. In what ended up making big news, the court concluded there was a substantial likelihood the plaintiffs would prevail on their Fourth Amendment claims and issued an injunction. In this Privacy Tracker blog post, Andrew Serwin unpacks the court’s decision. Full Story

US – Can Plaintiffs’ Lawyers Fill the DPA Role?

Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attornies’ fees for plaintiffs’ counsel and very little for individual class members.” Full Story

US – Sen. Tells Data Broker Industry They’re On Notice

In a Senate Commerce Committee hearing, Sen. Jay Rockefeller (D-WV) had harsh words for the consumer data broker industry. “We have a feeling people are getting scammed or screwed,” he said. The hearing focused on the use of consumer marketing data and followed the release of Rockefeller’s report on the industry, which said that Acxiom, Epsilon and Experian were not as forthcoming with their answers to Rockefeller’s investigation as he would have liked. Rockefeller warned he may use more forceful means of getting them to share such insights. Experian Senior VP of Government Affairs and Public Policy Tony Hadley defended his company’s practices and said it has safeguards to ensure bad actors do not get consumer lists. In chilling testimony, the World Privacy Forum’s Pam Dixon discussed some of the disturbing use of data, including the selling of rape victim lists, home addresses of police officers and names of those with genetic illnesses. Rockefeller said the committee will continue to shine a spotlight on the industry. [AdAge]

Workplace Privacy

WW – Recruiters Mining Medical Data to Target Subjects

Healthcare companies are probing readily available information from data brokers, pharmacies and social networks in order to recruit patients for clinical trials. Blue Chip Marketing Worldwide, for example, found patients to experiment with an obesity drug by targeting people who presumably live sedentary lifestyles, such as those who subscribe to premium cable TV or eat at fast-food chains frequently, the report states. ”We are now at a point where, based on your credit-card history … we can get a very, very close read on whether or not you have the disease we’re looking at,” said a spokesman from one pharmaceutical product development company. [The Wall Street Journal]

US – On The 10th Day Of Privacy, My Employer Gave To Me …..

As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues.  Here are five developments that we are monitoring (pun intended) as we enter the New Year.

1. The Law Starts to Catch up With the Technology

2. So Tell Us Your Honor, What Do These Laws Mean?

3. Your Greatest Strength May Be One of Your Biggest Weaknesses

4. Wait, Our Employees work in an office not in a factory, what’s the NLRB doing here?

5. When did We Start Living in the World of George Jetson? [Mondaq News]

CA – BYOD: It Can Be Privacy and Security Protective

On December 11, 2013, Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and TELUS released a new whitepaper applying the principles of Privacy by Design to employee owned devices in the workplace. The whitepaper, entitled “Bring Your Own Device: Is Your Organization Ready?”, sets out a five-step process for developing and implementing a BYOD program.:

  1.       Step One: Establishing Requirements – End-User Segmentation. This involves identifying user needs.
  2.       Step Two: Technology Alignment and Device Choice. This involves aligning permitted devices to user needs and operational considerations, as well as the level of access permitted based on the device characteristics.
  3.       Step Three: Policy Development. In this step, the organization is to develop policies and procedures governing information security, monitoring, privacy, guidance on the use of wifi, termination of employment and other issues engaged by BYOD.
  4.       Step Four: Security. This step requires the organization to evaluate existing and implement additional administrative, technical and physical security controls to enhance or maintain the security of the organization’s IT infrastructure and the integrity and privacy of personal information.
  5.       Step Five: Support. In this final step, an organization to have a plan to support employees, including with respect to lost or misplaced devices.

[Mondaq News] See also: [BYOD – It can be privacy protective from Dentons] and [BYOD Participation Agreement from Dentons]

US – BYOD Became the ‘New Normal’ in 2013

A shift in the adoption of bring-your-own-device (BYOD) policies in 2013. A poll taken in January found that three of four respondents had a program in place, but two-thirds had an “anything goes” philosophy. This year, CIOs began shifting IT department cultures to embrace mobile apps in an effort to manage BYOD. “The education cycle by the vendors and analysts began to sink in,” said one expert. “Line of business managers don’t want this liability on their hands.” [Computerworld]

NZ – New Duty to Disclose Health Conditions To Employers

Employees will have to tell their employers if they have medical conditions or are taking prescription drugs that affect their productivity or expose others to harm, under provisions in a proposed bill. The Employment Relations (Safe and Healthy Workplaces) Amendment Bill is the work of police officer and anti-drugs crusader turned MP Mike Sabin. The bill would provide a legislative framework with clear obligations for employees and employers when it comes to workplace safety and drug and alcohol use. There is currently no legislative framework to guide employers and employees when managing health, safety and productivity concerns stemming from the direct and indirect effects of drug and alcohol use, Mr Sabin says. “The aim here is not to infringe on privacy or the rights of the individual…it’s simply to be able to identify a hazard and manage it,” Mr Sabin says. In the US, problems with prescription drugs are on the increase, he says. New Zealand is typically five years behind US drug-use trends and Mr Hilson hopes this bill would get introduced before prescription drug abuse becomes a bigger.  []

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

A regional court in Versailles, near Paris, is examining whether Ikea executives in France broke the law by ordering personal investigations of hundreds of people over the course of a decade. A review of the court records by The New York Times indicates that Ikea’s investigations were conducted for various reasons, including the vetting of job applicants, efforts to build cases against employees accused of wrongdoing, and even attempts to undermine the arguments of consumers bringing complaints against the company. The going rate charged by the private investigators was 80 to 180 euros, or $110 to $247, per inquiry, court documents show. Between 2002 and 2012, the finance department of Ikea France approved more than €475,000 in invoices from investigators. The case has caused public outrage in France, not only because of the company’s large consumer following in this country — Ikea’s third-largest market after Germany and the United States — but because the spying cases occurred in a country that, in the digital age, has elevated privacy to a level nearly equal to the national trinity of Liberté, Égalité and Fraternité. [The New York Times]



01-15 December 2013


US – NTIA Announces Facial Recognition Meeting Schedule

An announcement in the Federal Register details the National Telecommunications and Information Administration (NTIA) series of eight meetings related to the “Consumer Data Privacy Code of Conduct” on facial recognition technology first reported last week . The meetings will be held in Washington, DC, and will be open to the public. The report includes the dates of the eight meetings, beginning with one on February 6 aimed at beginning a “factual, stakeholder-driven dialogue regarding the technical capabilities and commercial uses of facial recognition technology.” The NTIA plans to circulate a draft for public comment following the last meeting on June 24. [Government Security News]

US – Next NTIA Project to Focus on Facial Recognition

The National Telecommunications and Information Administration (NTIA) announced it is launching a new multi-stakeholder process that will focus on the commercial use of facial recognition technology. While the technology has potential for innovative use that could improve services for consumers, writes Department of Commerce Assistant Secretary for Communications Lawrence Strickling, “the technology poses distinct privacy challenges. Digital images are increasingly available, and the importance of securing faceprints and ensuring consumers’ appropriate control over their data is clear.” The NTIA, which most recently used the multi-stakeholder process to release a code of conduct to improve privacy notices on mobile devices, will convene the first meeting to explore privacy safeguards for facial recognition technology on February 6 at 1 p.m. The public and all stakeholders are invited, and the meeting will be webcast. [NTIA]


CA – Denham Calls for Amendment to Law; Ring Voices Concerns

Citing concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts. [Times Colonist]

CA – Report: Supreme Court Ruling Suggests All Data Is Not Equal

In a complex ruling, the Supreme Court of Canada has found that data stored on a hard drive “is not equal to the same material stored in a filing cabinet.” The case, which involved a man’s conviction for growing marijuana, is what the Canadian Bar Association’s called “a marker (in the ground) for digital privacy law in Canada,” the report states, noting the man’s lawyer “succeeded in convincing the justices that computers are ‘stand-alone places’ that require specific search warrants.” [SC Magazine]

CA – Bertrand Denies Support of Data-Sharing Bill

New Brunswick Privacy Commissioner Anne Bertrand has said she did not give the government input or support for a proposed government data sharing bill. Earlier in the week, the education minister said Bertrand had supported Bill 23—a bill that would make it easier for government agencies to share personal information. In a letter to Speaker Dale Graham, Bertrand wrote, “With respect, I was surprised to hear the minister’s comments to this effect, as her comments do not accurately reflect the nature of the discussions that took place between our office and department officials on this matter.” [CBC News]


WW – World’s Leading Writers Demand “Digital Bill of Rights”

More than 500 of the world’s top writers have banded together to condemn the scale of government surveillance around the globe. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds. [The Guardian]

US – Study: Smartphone Users Will Pay More for Privacy

A study by University of Colorado Profs. Donald Waldman and Scott Savage has found “average smartphone users are willing to pay a few dollars for mobile apps that maintain privacy.” The team surveyed 1,726 people from seven U.S. cities, finding “consumers are willing to pay $4.05 to conceal contact lists, $3.58 to conceal the contents of text messages, $2.28 to shield browser history, $1.75 to block the phone’s ID number and $1.19 to conceal personal locations,” the report states. “We wanted to put a number out there,” Savage said. “Instead of saying what you feel or anecdotally thinking privacy is important, let’s put a number on it. Then people can have a real discussion.” [Daily Camera]

WW – Customized Airline Deals Raise Privacy Concerns

Industry reports that airlines are looking to roll out customized airfare packages for consumers based on collected data that could include income, home location and travel patterns. They are raising privacy concerns among some consumer advocates and have received the attention of the U.S. Department of Transportation (DoT). A spokeswoman for Airlines for America said, “We expect to see more airlines adopt this trend in commerce as they continue to offer passengers a more personalized travel experience.” However, Consumer Travel Alliance’s Charles Leocha said, “It will be the death of comparison shopping.” The DoT is scheduled to meet on Monday to discuss airfare pricing and could recommend federal legislation requiring airlines to disclose what data they’ve collected on travelers, the report states. [L.A. Times]

US – Many Stores Tracking Shoppers This Holiday Season

U.S. retailers are putting small tracking devices to work monitoring shoppers and their cellphones, to “tally how long people wait in line and where they shop.” The Future of Privacy Forum (FPF) has estimated “about 1,000 retailers, from tiny boutiques to Macy’s Inc., have outfitted their aisles with sensors to monitor shoppers’ paths,” the report states. While FPF has asked retailers to notify shoppers they are using such technology—and eight makers of tracking devices asked their clients to post such disclosures, the report notes, “the idea went nowhere with retailers.” Other retailers, meanwhile, have cited privacy concerns as their reason for holding off on using tracking technology, and some customers have complained about such practices as stores using WiFi signals to track customers through their cellphones. [The Wall Street Journal]

UK – Just 9% of Customers Have Faith Brands Will Secure Their Data

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20% said they would inform police of a data loss, considering it a criminal offense, and 63% said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu, Chief Security Officer, UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October. [Fujitsu]

WW – Getting to Simpler, More Consumer-Friendly Privacy Policies

Prior to stepping down from the FTC, David Vladeck “frequently railed against the current generation of consumer-facing privacy policies” as it becomes clear that consumers just don’t read or understand them. And there is data to back him up, notes GMAC Chief Privacy Official Allen Brandt. This Privacy Perspectives post looks into several examples of creative ways companies are conveying their privacy policies to consumers, including how GMAC recently converted its entire consumer-facing privacy policy into a series of one-minute videos. [Full Story]


EU – France Gets Criticism for New Surveillance Law

France passed a law expanding government surveillance activities and the country is getting heavily criticized by privacy advocates for the move. The new law “essentially means that the police, intelligence and anti-terrorist agencies can now spy on Internet users in real-time, across computers, tablets and smartphones.” Previously, these entities needed approval from a National Commission for the Control of Security Intercepts judge before conducting these activities. One privacy expert voiced his disappointment with the CNIL, the French DPA, and noted that the new law “shows (that) the EU governments still have few qualms about mass surveillance of their own populations, even as they protest about NSA.” [SC Magazine]


WW – Microsoft Beefing Up Encryption Following Gov’t Spying Revelations

A Microsoft blog announces the company is “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” The company says allegations that some governments circumvent online security measures to collect private customer data put such governments alongside such threats as sophisticated malware and cyber attacks. As such, Microsoft plans to encrypt all services, reinforce legal protections for customers and expand the transparency of its software code. Microsoft General Counsel Bradford Smith said revelations the government might be hacking into corporate data centers “was a bit like an earthquake, sending shock waves across the tech sector.” [PC World]

EU Developments

EU – One-Stop-Shop Principle Delays Progress on Regulation

The proposed EU Data Protection Regulation suffered a setback when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights. [EU Observer] see also: [The EU and APEC: A Roadmap for Global Interoperability?]

EU – DPAs Say They Aren’t Ready for Regulation

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue. Irish Data Protection Commissioner Billy Hawkes says , under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules. [PCWorld] See also: [Draft EU Data Protection Package: A History and Look to the Finish Line]

EU – Member States Need More Time with Regulation Proposal

The EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht. [Bloomberg]

EU – EU, U.S. Officials Indicate Potential Privacy Agreement at DPC

The keynote stage at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue. [Privacy Advisor]

EU – Top Six Inadequacies Found During Privacy Audits

Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list. [Privacy Advisor] See also: [Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan]

EU – Pan-Euro Law Likely Means ICO Restructuring

Pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February. [SC Magazine]

EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent.” Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

EU – New Dutch Fining Powers Expected in 2015

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. Jeroen Terstegge examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015. [The Privacy Advisor]

EU—Royal Decree Transposes Directive into Belgian Law

The Belgian government recently issued a royal decree that lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree transposes the EU Data Retention Directive into Belgian law. [Details]

EU — New Danish Whistleblowing Legislation Takes Effect

As of 1 January 2014, new Danish legislation concerning whistleblowing will take effect. According to the new legislation, all Danish companies in the financial sector must have a whistleblower scheme that enables employees and board members anonymously to report any breach of the financial regulation.  [Details]

EU — Customer Care Outside the EU, New Rules Coming from the Italian DPA

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens. [Details]

EU—Datagate: Garante and DIS Enter Joint Agreement

The Garante and DIS have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta. [Details]

UK—Tribunal Overturns ICO’s £300,000 Spam Texts Fine

The General Regulatory Chamber, which allows rights of appeal against decisions of the UK Information Commissioner’s Office (ICO), has overturned an earlier £300,000 fine for the sending of unwanted text messages.  [Details]

UK—Ministry of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families. [Details]

UK—ICO to Update Privacy Policy Guidance

The Information Commissioner’s Office (ICO) has announced that it will be updating its privacy policy guidance to reflect changes in privacy practices and technology. [Details]

UK—ICO Issues Code on Practice of Anonymisation

Anonymisation is of particular relevance at the moment, given the increased amount of information being made publicly available through Open Data initiatives and through individuals posting their own personal data online. Furthermore, the concept of anonymisation is fundamental for organizations that intend to take advantage of the possibilities offered by Big Data analytics without putting at risk the privacy of the data subjects. [Details]

Facts & Stats

WW – Data-Mining Software Biz Expects To Raise $100M

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. [Source] [What Makes a Good Privacy Pro?] [Social Media Guru Deletes Facebook Account, Citing Need to “Take a Stand”]


US – The Impact of New Payment Card Industry Standards on Business

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. [The Privacy Advisor]

US – Social Media Guidance for Financial Institutions

After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions. [Read Guidance]

CN – Measures Clarify Rules for Chinese Credit Reference Agencies

The People’s Bank of China put out Administrative Measures for Credit Reference Agencies to supplement the Administrative Regulations on the Credit Information Collection Sector. Hunton & Williams’ Privacy and Information Security Law Blog reports that the measures provide more detail to the regulations, which “established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies.” The measures require agencies that handle personal information to gain pre-approval for licensing before they incorporate the data and state that all credit reference agencies may experience “enhanced surveillance” in certain circumstances, including if the agency is involved in a data breach incident or has failed to comply with reporting obligations, among others. The measures take effect on December 20.


US – GINA: Complying With this Camouflaged Privacy Law

The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon — and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization.  [Privacy Tracker]

US – Court to Hear California DNA Law Arguments

A panel of 11 Ninth Circuit Court of Appeals judges will hear oral arguments today in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland’s narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California’s law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes. [The Associated Press]


WW – EFF Criticises Google for Removing Android 4.4.2 ‘Vital Privacy Feature’

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.” [Full Story]

WW – Google to Cache All Gmail Images, to Some Confusion

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users. [Ars Technica]]

Health / Medical

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [HHS Report]

Horror Stories

US – Breaches Affect Health Providers, College System and Discussion Forum

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information. []

US – Breach May Hit 465,000 Cardholders; 2M Passwords Stolen

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports , in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo. [Reuters]

US – LinkedIn Seeks Class-Action Dismissal

LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users’ accounts for promotional use .” In an argument filed in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site’s terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.” [SC Magazine]

Identity Issues

WW – AVG Unveils WiFi Do-Not-Track App for Mobile

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” [Forbes]

Internet / WWW

WW – Snowden Leaks “Gumming Up” Cloud Industry

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.” [CNET News]

Law Enforcement

US – Boston Police Halt License Scanning Program

The Boston Police Department “has indefinitely suspended” its use of license-plate readers to check for motor vehicle violations in light of privacy concerns. “The police inadvertently released to the Globe the license plate numbers of more than 68,000 vehicles that had tripped alarms on automated license-plate readers over a six-month period,” the report states, noting that release “triggered immediate doubts about whether the police could reliably protect the sensitive data.” Spokeswoman Cheryl Fiandaca said the department suspended the program while Commissioner William Evans reviews it “so he knows that it’s being used effectively and that it doesn’t invade anyone’s privacy.” [The Boston Globe]


WW – Twitter Partnership Aims to Bolster Location Services

Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users. [MediaPost News]

WW – Twitter Starts Ad Targeting; Automaker Tracks from Showroom

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ , Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).” [AdAge]


WW – Report: Developing Countries Need Privacy Laws to Bridge the Gap

UN trade and development body UNCTAD has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. As of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy. [The Guardian]

Online Privacy

US – Internet’s Sad Legacy: No
More Secrets

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [Full Story]

WW – New Study Uses Bots to Track the Trackers

A new study led by researchers at Princeton University and Belgium’s KU Leuven has discovered patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.” [Forbes]

US – AT&T Offers Discount to Users Willing to Be Tracked

AT&T has recently rolled out plans to offer high-speed Internet, including a 30-percent discount for users willing to be tracked. AT&T’s Fletcher Cook said, “With AT&T Internet Preferences, you allow us to use your web browsing activity … to provide you with more relevant offers and advertising.” Cook also said the company will not sell personal information. Those choosing not to take the discount will not get targeted ads but will still have data about them tracked. “We keep your personal information only as long as needed for business, tax or legal purposes,” he said, adding, “For those that don’t (opt-in), information is safeguarded the same way.” [Forbes]

WW – Opinion: Forget Notice and Choice, Let’s Regulate Use

While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” [The Privacy Advisor]. [Privacy Art]

Other Jurisdictions

AU – Amendment to Change Australia’s Privacy Landscape

Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have. [Australian Security Magazine]

NZ – John Edwards Is New Privacy Commissioner

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February. [The New Zealand Herald]

AU – Australian Privacy Amendments Carry Big Penalties

David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March. [Mondaq]

AU – ALRC Examines Right to Be Forgotten; Privacy Tort

The Australian Law Reform Commission (ALRC) is examining a “right to be forgotten” and “right and to erasure,” noting “privacy groups are demanding the right to censor other people’s posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can’t give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort. []

NZ – New Zealand Official Welcomes Draft FATCA Legislation

Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, quoting PwC New Zealand FATCA Director Henry Risk, who said, “We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states. [Voxy]

HK – Commissioner Rules Fitness Center Collected Excessive Data

California Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” [South China Morning Post]

Privacy (US)

US – FTC Unveils Privacy Focus for 2014

The U.S. Federal Trade Commission (FTC) has announced it will host a set of three seminars to explore consumer privacy issues and “examine the privacy implications of three new areas of technology that have garnered considerable attention.” The FTC will explore mobile device tracking, alternative scoring products and consumer-generated and -controlled health data. The first seminar, focusing on mobile device tracking, will be held in February. Meanwhile, a Government Health IT report asks, “Can the FTC regulate digital health privacy?” and looks into both sides of the data security debate between the FTC and Atlanta-based health diagnostics firm LabMD. []

US – White House Must Respond to Email Privacy Petition

A petition on the White House website calls for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. [The Hill] [Petition]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace .” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the FTC is also preparing a report expected in early 2014. [Privacy Tracker]

US – O’Connor Named CDT’s President and CEO

The Center for Democracy and Technology (CDT) has announced Nuala O’Connor will head the organization. Leslie Harris, CDT president since 2005, announced in July she would resign from the post. O’Connor comes to the CDT from Amazon, where she’s worked as associate general counsel on privacy and data protection. Prior to that, O’Connor worked as chief privacy officer at the U.S. Department of Commerce and later the Department of Homeland Security before settling in at General Electric as chief privacy leader and senior counsel. She’ll lean on her past government experience in her new role and looks forward to tackling such issues as surveillance and online decision-making. [Privacy Advisor]

US – Potential Settlement Over Alleged Data-Mining Without Notice

A filing this week indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Bloomberg]

US – Study: Schools Outsourcing Student-Data Collection, Neglecting Safety

Public schools are using web-based services to collect and analyze personal details about students but aren’t providing the necessary safeguards. That’s according to a new study released by the Center on Law and Information Policy at Fordham Law School. The study looked at the contracts school districts sign to outsource such analytics. Many of the contracts “failed to list the type of information collected” and others “did not prohibit vendors from selling personal details—like names, contact information or health status—or using that information for marketing purposes,” the report states. Meanwhile, EPIC has filed a complaint with the FTC aimed at protecting student data.  [The New York Times]

Opinion: The Poor Deserve Privacy, Too

Seeta Gangadharan and Aleta Sprague report on welfare programs and the amount of sensitive data collected on recipients. The massive amounts of data are stored in potentially unsecure databases for varying amounts of time and sometimes lack permissions controls for case workers, the report states. “Poor people in the welfare system don’t have privacy,” the authors write, “and they don’t factor into broader debates on protecting individuals’ liberty and right to be left alone.” One solution, the authors suggest, is to collect less data on recipients, thereby making the system more efficient and mitigating the potential risk of data loss. [Slate]

US – PCLOB Announces New Job Openings

The Privacy and Civil Liberties Oversight Board (PCLOB) has announced it is looking to hire attorney advisors “who will assist the board in carrying out its oversight and advice functions regarding federal counterterrorism matters.” According to the official job description, many of the cases and problems that will be handled by the incumbent will “involve little or no established precedent, may present delicate legal or factual situations and may involve important Constitutional principles.” In comments provided to the Daily Dashboard, PCLOB Chairman David Medine wrote, “Thanks to the funding provided by Congress to the Privacy and Civil Liberties Oversight Board in October, PCLOB is now able to expand its staff by hiring several lawyers. These new lawyers will increase the board’s ability to oversee existing federal counterterrorism programs and provide advice on the development of new programs, in order to ensure that the need for such efforts is balanced with the need to protect privacy and civil liberties.” [USAJobs]

US – Axciom Signs First Long-Term Ad Agency Deal

One of the leading brands in the data brokering business, Axciom, has signed what AdAge is reporting as a “multi-year deal with one of the biggest media agencies in the business: Starcom MediaVest Group.” The deal allows Starcom access to Axciom’s Audience Operating System, which offers audience segmentation and targeting across online and offline media, thanks to first- and third-party data. “We believe leveraging Acxiom client data with third-party media data across any channel is going to … shape the market in years to come,” said Laura Desmond, CEO at Starcom MediaVest Group, which is part of Publicis Groupe. The deal is significant, Axciom says, because it has formerly only worked with individual brands and companies. “This Starcom partnership is a huge deal for us because Acxiom has never had in its 40-year history a relationship with an agency,” said Acxiom CEO Scott Howe. [AdAge]


US – NIST to Host Privacy Panel December 19-20

The National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board is set to host a two-day, open meeting in Washington, DC, according to the Federal Register. Two main topics to be discussed are President Barack Obama’s Executive Order 13636 on critical infrastructure cybersecurity and potential incentives that should be adopted for improved cybersecurity practices. The report also features an agenda for the meetings, which includes updates on legislative proposals pertaining to information security and privacy, a discussion on cryptography and an update on the Privacy and Civil Liberties Oversight Board. []


WW – Tech Giants Urge Global Surveillance Reform

A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data. [Source]

US – Gov’t Gathering Five Billion Cellphone Locations Per Day

The National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyze the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Privacy advocates have concerns about the agency’s ability to establish relationships between phone users based on such data. Chris Soghoian of the ACLU said the only way to hide your location is to “live in a cave.” Meanwhile, a Brown University panel recently discussed NSA spying and how sophisticated government agencies have become in analyzing such data. [The Washington Post]

US – Obama Panel Urging Some NSA Curbs

The New York Times reports on the conclusions of President Barack Obama’s surveillance review panel. According to the panel’s report, the NSA program collecting U.S. phone call data should continue but only under “broad new restraints” to increase privacy protections. The panel also allegedly concluded that the U.S. should codify and publicly announce the steps it’s taking to protect the privacy of foreign citizens whose phone and Internet data is collected by the NSA and create “an organization of legal advocates” to argue against government lawyers before the Foreign Intelligence Surveillance Court. Resistance to the conclusions from the NSA and others is expected, the report states. Meanwhile, Verizon Communications has taken a stance against a shareholder resolution that would require more transparency about what user data it shares with the government. AT&T recently resisted a similar shareholder resolution as well. [Full Story] SEE ALSO: [Opinion: Privacy Rules Must Not Be Ambiguous]

WW – U.S., UK Intel Infiltrates Online Gaming

New leaks from Edward Snowden revealing that the U.S. National Security Agency and the UK’s GCHQ have infiltrated large online gaming communities to gather intelligence on possible terrorist activity. According to the documents, the agencies possess massive data-collection capabilities within the Xbox Live console network—a gaming community with approximately 48 million users. Documents also reveal that if done correctly, spying within the networks could produce intelligence on users’ social networking, target identifiers such as profile photos, geolocation, biometrics and other communications. Makers of the game World of Warcraft said they “are unaware of any surveillance taking place … If it was, it would have been done without our knowledge or permission.” [The Guardian]

US – NSA Uses Ad-Tracking Tech to Locate Targets

Leaked U.S. National Security Agency (NSA) slides reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” [The Washington Post]

Telecom / TV

US – Groups Want Anonymized Phone Records Protected

In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency. [PCWorld]

US Legislation

US – AZ State Sen. Wants To Ban NSA from the State

Sen. Kelli Ward (R-Lake Havasu City) says next month she will introduce legislation to prohibit state and local law enforcement from providing support to the National Security Agency (NSA) and state-owned utilities providers from providing services to NSA facilities. Ward aims to prevent warrantless surveillance of Arizona residents. Michael Maharrey, of the Tenth Amendment Center, the group that wrote the template for the bill, says Arizona is the first state to announce it will officially consider it. “That the federal government cannot force states to help implement or enforce any federal act or program is well-established in the law. It is known as the anti-commandeering doctrine,” Maharrey said. [Computerworld]

US – Candidate Wants Surveillance Protection in MT State Constitution

U.S. Senate candidate John Bohlinger (D-MT) has filed paperwork with the Montana Secretary of State that would expand the state constitution’s privacy protections to include digital data, reports KRTV News. Bohlinger is looking to get the language on November’s voter ballot, but it must first go through the legislative counsel, the Montana Attorney General’s Office and gain more than 40,000 signatures.

US – NY Sen. Proposes Changes in State’s Education Privacy Regime

New York State Sen. and State Senate Education Committee Chairman John Flanagan (R-East Northport) issued a report recommending stronger privacy protections for student data, among other initiatives. The report addresses concerns voiced during five Education Committee hearings, including third-party access to the personally identifying information of students, teachers and principals in the state’s Education Data Portal. One piece of legislation the report points to is a privacy bill “which would strengthen protections of personal information stored on the state-wide data portal, establish significant civil and criminal penalties for unauthorized disclosure of personal information and create independent oversight within SED on matters related to privacy,” Long Island Exchange reports.

US – Journalists, School Argue Over Whether Surveillance Video Is Protected Under FERPA

The Utah chapter of the Society of Professional Journalists (SPJ) has filed a brief stating that the Canyons School District has wrongfully cited the Family Education Rights and Privacy Act (FERPA) in denying access to school surveillance video footage, reports Student Press Law Center. While the school states the footage is protected because it is maintained by the school and identifies students, the SPJ says the video is not an education record and is therefore exempt from FERPA. The lawyer for the SPJ wrote in the brief that the footage “is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”

US – Petition Acquires Enough Signatures to Require White House Response

The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. Full Story

US – Lawmakers See Amazon Announcement as More Reason for Drone Regulation

The recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone’s backyard, snooping around with a drone, checking out a person’s patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week. [The Verge]

US – CA Court of Appeals Limits Claims, Damages Under CMIA

In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.” [Law360.]

US – FTC Settles with Flashlight App Developer

The Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014. []

US – Potential Settlement Over Alleged Data-Mining Without Notice

A recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Full Story]

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [Full Story]

US – State AGs: The Most Important Regulators in the U.S.?

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer  and Aaron Lancaster. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead. [Full Story]

US – Where the FTC is Headed in 2014

On Capitol Hill, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February. [Full Story]

US – Legal Reform Needed in U.S., Not Just Europe

“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror. [Full Story]

US – Google Wins Dismissal in Privacy Policy Case

Google has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.” [Bloomberg]

US – ALEC Publishes Model Bill for State Education CPOs

The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall. [Full Story]

Workplace Privacy

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” [The New York Times]




16-30 November 2013


WW – Advancements in Facial Recognition Raise Privacy Questions

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [New York Times]

US – Franken Wants Users Protected Against Facial Recognition ASAP

Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos. [The Hill]


CA – Stoddart Departing Commissioner’s Post

Privacy Commissioner Jennifer Stoddart’s departure from office and the work she did while there, including taking on big companies like Google and Facebook in defense of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier will step up as interim privacy commissioner until Stoddart is replaced. [Postmedia News]

CA – Commissioner Supports Call for CSC Audit

Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013. [Canada NewsWire]

CA – Journalists Concerned About Bill C-461

Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada’s public broadcaster, the CBC/Radio-Canada.” In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC’s journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC’s right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC’s ‘independence.’” [CNW]

CA – What Does Unconstitutional Ruling Mean for Alberta Privacy Law?

In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown analyzes what the decision means for the province. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. [Privacy Tracker]

CA – Cyber-Bullying Bill Revives Bill C-30 Controversy

A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers. The proposed law was introduced Wednesday, and is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.” [The Globe and Mail]

CA – Supreme Court to Hear Gun Registry Appeal

The Supreme Court has decided it will give Quebec’s government a final chance at making a case for preserving gun registry data. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.” [The Globe and Mail]

CA – Opinion: Saskatchewan Should Look to Neighbours

Attorney Greg Fingas writes about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it’s possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours’ choices rather than avoiding the question entirely.” [Leader Post]


US – Are Notice and Consent Still Relevant for Internet of Things?

Stakeholders met in Washington, DC, to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the FTC of late, but the complexity of the IoT ecosystem was readily apparent during yesterday’s proceedings. Jedidiah Bracy covers the event and looks at calls for a new privacy paradigm around the Fair Information Practice Principles and the need for even more robust privacy design initiatives. [The Privacy Advisor]

WW – User Privacy Perceptions Could Cause Harm

A new study suggests that, though a majority of users believe they have responsibility to protect their privacy, most do not take steps to actually protect it. The disconnection between users’ attitude toward privacy accountability suggests that consumers’ perception is more ideological than practical, said Stephen Cobb, a senior security researcher at ESET, the organization that commissioned the Harris Interactive survey of more than 2,000 U.S. adults. “What I think people lack are the resources and education to follow all the way through with (protecting information),” he said, adding, “The average American adult isn’t going to walk through the door well-prepared to protect that company’s information … They need help. They need education.” [Network World]


US – Judge Who Ruled Against Google To Hear Yahoo Case

Following her ruling against Google’s request to dismiss a privacy lawsuit accusing it of using personal information gleamed from e-mails transmitted via Gmail, U.S. District Judge Lucy Koh is being sought after to hear similar lawsuits against Yahoo. The lawyer who filed a November 15 complaint against Yahoo says Koh’s recent ruling against Google’s request to dismiss the suit against it was “enormously important” for plaintiffs in group privacy suits. Yahoo has requested that three complaints filed against it be combined in an effort to minimize the labor or costs associated should the case be heard by three different judges. Separately, Yahoo has announced that following revelations that the NSA had accessed its data centers, it will add encryption to all of its products by spring 2014. [Bloomberg]

Electronic Records

WW – Hartzog and Selinger: Maybe We Need More Specific Terms

Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write. [Forbes]


US – Lavabit Files Reply Brief in Appeal

Lavabit’s legal team has filed its reply brief in its case appealing the US government’s authority to demand the company’s master encryption key. The outcome of the case will decide whether an Internet company can be compelled to surrender master encryption keys when entities are seeking information about a single user. According to Lavabit’s brief, “the government has no general entitlement to search through the information of an innocent business.” [WIRED]

WW – Google Beats SSL Upgrade Deadline

Google has fulfilled its commitment to retire 1,024-bit encryption keys ahead of the scheduled target of the end of this year. Google has now replaced all certificates for its online services with new, 2,048-bit SSL certificates. The company is also taking steps to encrypt traffic between its data centers. [CNET]

EU Developments

EU – Commission Gives U.S. 13 Ways to Save Safe Harbor

The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld said that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor. [The Privacy Advisor]

EU – Safe Harbor Report Could Be the Start of Real Privacy Interoperability

According to Field Fisher Waterhouse Partner Eduardo Ustaran, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for  that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…” [Privacy Perspectives]

EU – Brussels to Warn U.S. of Safe Harbor Risk

Lawmakers in Brussels are set to officially warn Washington that Safe Harbor may be at risk unless U.S. tech businesses change the way they handle the data collected on EU citizens, Financial Times reports. The European Commission (EC) has been reviewing the Safe Harbor pact and is slated to announce its conclusions on Wednesday. According to the report, the EU is not expected to scrap the deal, but its wording suggests the EU will move in that direction if changes are not made by U.S. businesses. “The personal data of EU citizens sent to the U.S. under the ‘Safe Harbor’ may be accessed and further processed by U.S. authorities in a way incompatible with the ground on which the data was originally collected,” the draft version of the EC report states. “The commission has the authority … to suspend or revoke the Safe Harbor decision if the scheme no longer provides an adequate level of protection.” [CNBC]

EU – Cookie Monsters of Silicon Valley Come to Brussels

In the world of online tracking, the cookie is king—but there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. [Full Story]

EU – Berlin Now Home to Privacy Activists, Leakers

Germany’s once-divided city of Berlin has become a haven for privacy activists and whistleblowers attempting to avoid prosecution from countries such as the U.S. and UK. Documentary filmmaker and Edward Snowden conduit Laura Poitras has made Berlin home, as has former Wikileaks spokesman Jacob Appelbaum. One privacy activist said, “It’s a rather inviting social climate right now … Why be completely paranoid, go mad, have your house surveilled? There’s a reason people are coming here.” [The Washington Post]

EU – Safe Harbor’s in Trouble—Unless You Ask the U.S.

The U.S. Department of Commerce says Safe Harbor is still viable, and the FTC says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. Angelique Carson talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. [The Privacy Advisor]

EU – Reding: U.S. Must Allow Europeans to Sue Agencies That Violate Privacy

EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S. [Bloomberg]

EU – EU Parliament could block data sharing with the US

After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht said that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.” [Full Story]

EU – Opinion: Data Community Must Influence Law

“It is essential … that the information security community not only make the effort to be aware and prepare but also recognise and exert influence over” the eventual EU data protection legislation, writes Yves Le Roux of (ISC)2. Pointing to the lack of technical feasibility of the right to be forgotten, Le Roux writes that privacy pros and others need to speak up about such elements of the law that may not be practicable, noting that the IAPP Europe Data Protection Congress provides an opportunity to do just that. [Computerworld]

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Department in Washington. Prior to the meeting, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]

EU – German Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]


EU – French Court Orders Search Engines and ISPs to Block Pirate Sites

A French court has ordered major search engines to block 16 video-streaming websites. Google, Microsoft, and Yahoo must prevent the sites from appearing in their search results. The order also applies to several Internet service providers (ISPs) used by residents of France, which will have to prevent users from accessing those sites. Some of the plaintiffs in the case told the judge that merely ordering a block on the sites would prove ineffective because the people behind the pirate sites would just re-create the sites with new names. Wiley Rein’s David Weslow says if the decision is upheld on appeal, “there may be a precedent in France for forcing search engines or other types of Internet service providers to take affirmation actions to disable certain online content even where a ‘take down’ request has not been filed with that Internet service provider.” A recent poll about whether government should play an increasing role in protecting online privacy indicated 52% voted yes and 48% voted no, indicating “there is not overwhelming agreement” on what should be done,, adding tech companies and governments should be prepared to weigh in. Meanwhile, Google says it will voluntarily remove a Google Maps image related to a young boy’s murder. [TechRepublic]  [BBC] [WIRED]


WW – Coin Addresses Some Critics’ Concerns

When Coin released information about its all-in-one digital credit card last week, some critics voiced concern about the technology’s security and reliability issues. For example, some wondered how securely the credit card information is stored and whether the device could be used as a card skimmer. Others expressed concern that the device would not work if the associated phone is out of power, and wondered whether or not merchants would be willing to accept Coin for payments. Coin has announced some changes, including a method for reactivating the device even if users’ phones are out of battery. Coin will also lock onto the payment method users have chosen to avoid accidentally switching to other payment methods stored in the device. The company says that the stored card information is encrypted. [CNN]


EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

US – Google to Pay $17M to Settle Cookies Case

Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” following Google’s agreement last year to pay a $22.5 million civil penalty to the FTC. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.” [IDG News Service]

EU – Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]

EU – Complaints Over Google Terms of Service Filed in 14 Countries

Privacy advocate Simon Davies has filed complaints with 14 European data protection authorities stating that Google’s new terms of service violate European data protection law. The main issue involves changes to the “shared endorsements” feature, which allows Google+ users’ names and photos to be used in advertising for products they follow on the service. “The general position is that the ground rules shouldn’t be changed halfway through the match. Google acquired the data under one condition, and I’m asserting that it cannot change the purpose of that data after the fact,” Davies said. Davies’ other challenges target the feature’s opt-out mechanism and changes in the way users are required to interact with YouTube. [PCWorld]

Health / Medical

US – Debunking Three Cyber Insurance Myths

“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves. [Privacy Perspectives]

Horror Stories

WW – Breaches Hit Health Exchanges, Anthem and More

Los Angeles Times reports that Anthem Blue Cross accidentally posted online the Social Security numbers (SSNs) and tax identification numbers of approximately 24,500 doctors. The data was mistakenly published within an online directory last month. Meanwhile, GovInfoSecurity reports on three breaches involving health insurance exchanges, including in Vermont and Oregon. In a separate report, the Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts discusses two essential steps organizations should take to help mitigate data breaches. More than 1,000 patients at California’s Redwood Memorial Hospital have been notified their personal information may have been compromised after an unencrypted USB drive was misplaced. Crown Castle has revealed that sensitive payroll data of its U.S. employees has been accessed by hackers. After a data breach affecting several city workers, the city of Milwaukee has said it will avoid using SSNs . And representatives from Adobe have said e-mails notifying those affected by a massive breach are taking longer than it anticipated. [L.A. Times]

WW – Breaches Affect School, Dating Site, Health Plan

A New York school district is alerting thousands of students and their parents of a security breach that saw some of their data posted online. A list of 15,000 names and school ID numbers were posted. Meanwhile, Anthem Blue Cross has begun notifying customers that their names, business addresses and tax ID numbers were posted to the company’s website this month. And online dating service company Cupid Media suffered a breach in January this year exposing names, e-mail addresses and passwords in plaintext. In an opinion piece for Dark Reading, Robert Lemos warns that cloud data is increasingly vulnerable to hacks. [Newsday]

US – Cupid Media Data Breach Affects Millions of Accounts

A data security breach at online dating network Cupid Media has exposed personal information from 42 million accounts. The compromised data include email addresses and unencrypted passwords. The data theft was discovered because it was stored on the same server where attackers had stored data stolen from Adobe, PR Newswire, and several other organizations. The Cupid Media breach apparently occurred in January 2013, and users were notified. The Australia-based company operates more than 30 specialized dating websites. [ComputerWorld]

Identity Issues

US – Screen Actors Guild Sides Against Amazon in Privacy Dispute

The Screen Actors Guild (SAG) has announced it is supporting an actress’s privacy suit against The SAG said the company “committed an unconscionable breach of trust” when it accessed actress Junie Hoang’s credit card information to determine and publicize her real birthdate. “Individual IMDb profiles contain information that most people would consider private and that can be used for improper purposes,” the SAG wrote in an amicus brief to the Ninth Circuit Court of Appeals. [MediaPost]

Internet / WWW

WW – UN Passes Internet Privacy Resolution

The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?” [Associated Press]

EU – EDPS: Telecoms Market Reform Plan Would Put Privacy at Risk

New net neutrality laws would mean Internet users’ privacy rights would be at risk, according to the European Data Protection Supervisor (EDPS). The European Commission’s telecoms market reform plans would allow Internet service providers to engage in “wide-scale, preventive monitoring of communications content,” an affront to data privacy and protection as well as consumer trust in electronic communication services, the EDPS said. []

WW – Facebook Forges Ahead with Planned Changes

While Facebook has moved forward with changes to its privacy policies alerting users it may use their profile pictures, location and other personal information in advertisements, the company has deleted a controversial line in the policy on teens’ use of the site. The line stated Facebook assumed teens had obtained permission from their parents, drawing the ire of critics including Sen. Ed Markey (D-MA), who said Facebook should not profit from the personal information of children and teens. Facebook Chief Privacy Officer Erin Egan said, however, that the company wouldn’t gain additional rights as a result of the statement; rather, it was meant to get kids and their parents discussing the terms, The Washington Post reports. [Washington Post]

Law Enforcement

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Deparetment in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]


AU – Pilgrim Discusses New Powers

Privacy Commissioner Timothy Pilgrim said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March.” Pilgrim said “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them.” He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy. [IT News ull]

HK – Critics Say Hong Kong Data Protection Law Needs Update

Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use,. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public. [South China Morning Post]

SA – South Africa: Zuma Signs Privacy Bill Into Law

South African President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law. “The act will give effect to the right to privacy, by introducing measures
to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act. [Global Post]

IN – India’s Privacy Bill to See Further Delay

Differences between the ministries of Home and Law and the Department of Personnel and Training mean the Right to Privacy Bill has little chance of being tabled in this winter’s session of Parliament. The bill was originally proposed in 2011 and aims to “safeguard security interests of all affected individuals whose personal data has or is likely to have been compromised by such a breach.” Causing the divide is a provision stating the proposed law will supersede all provisions of the 58 existing laws that touch on privacy, Economic Times reports. An official at the Department of Personnel and Training told ET that the bill has been “stuck at the law ministry for several months now.” [Indian Express]

Online Privacy

WW – Viral Video Exposes Privacy Disconnect

A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses. [Full Story]

WW – Browser Extension Allows Users to Use “Fake” Identifiers

U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details. [PC World]

Other Jurisdictions

AU – Final Set of APPs Released for Comment 

The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles (APPs). APP 12 and 13 cover access to and correction of personal information and require organisations to give consumers access to the information organisations hold on them and to take reasonable steps to correct information as well as “contact other organisations that hold the same information about a person so that they can update these details,” the report states. The consultation period is open until 16 December. [ComputerWorld]

MY – Long-Delayed Malaysian Data Protection Law Now In Effect

Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. The Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law